[PATCH 6/6] examples: polkit: Grant 'domain.read-secure' for the example cases
Daniel P. Berrangé
berrange at redhat.com
Mon Feb 20 17:18:18 UTC 2023
On Mon, Feb 20, 2023 at 06:12:53PM +0100, Peter Krempa wrote:
> On Mon, Feb 20, 2023 at 17:09:18 +0000, Daniel P. Berrangé wrote:
> > On Mon, Feb 20, 2023 at 11:47:09AM +0100, Peter Krempa wrote:
> > > The example gives the user authorized to work with the domain permission
> > > to open the graphics socket. Since the graphics socket may be protected
> > > with a password it makes sense to grant the user the
> > > 'domain.read-secure' permission to fetch the password for the graphics
> > > object.
> > >
> > > This also goes along with e.g. 'domain.send-input' and
> > > 'domain.screenshot' as they'll allow the user to interact with the
> > > domain even if they didn't have the password.
> >
> > The password isn't required, as you can use virDomainOpenGraphics
> > to connect when its a local display, and that's allowed via the
> > domain.open-graphics permission. virt-viewer at least will use
>
> So in such case authentication is not needed? e.g. if you setup a
> password regardles of that?
Yes, if VIR_DOMAIN_OPEN_GRAPHICS_SKIPAUTH is set as a flag.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list