subject:"\[PATCH\] polkit\: Allow libvirt group access to libvirtd ro socket"

Re: [PATCH] polkit: Allow libvirt group access to libvirtd ro socket

2020-12-01 Thread Jim Fehlig


On 12/1/20 5:15 PM, Neal Gompa wrote:

On Tue, Dec 1, 2020 at 4:23 PM Jim Fehlig  wrote:


On 12/1/20 2:17 AM, Daniel P. Berrangé wrote:

On Mon, Nov 30, 2020 at 05:28:16PM -0700, Jim Fehlig wrote:

As a normal user, 'virsh connect qemu:///system' and
'virsh connect --readonly qemu:///system' will prompt for root password.
If the user is added to the libvirt group, only
'virsh connect --readonly qemu:///system' will prompt for root password.


This doesn't make sense - the readonly case should never prompt for
a password, since libvirtd.polkit.in grants that permission out of
the box.


I thought something smelled a bit fishy. I meant to annotate the patch with "It
is possible I have a broader polkit config issue", but forgot before sending it
last night.

And indeed after looking again today with fresh eyes I see the problem is in our
polkit-default-privs package -> downstream bug. Ignore this patch.



Hah, and I didn't catch this because I rip out the default openSUSE
stuff that ruins usability by restricting polkit too much. :)


It has been a long time, but I've tripped over default-privs in the past. This 
time it was the difference between "restricted" (default in SLES) and "standard" 
(default in openSUSE) rules that got me. See /etc/sysconfig/security.


Regards,
Jim

Re: [PATCH] polkit: Allow libvirt group access to libvirtd ro socket

2020-12-01 Thread Jim Fehlig


On 12/1/20 2:17 AM, Daniel P. Berrangé wrote:

On Mon, Nov 30, 2020 at 05:28:16PM -0700, Jim Fehlig wrote:

As a normal user, 'virsh connect qemu:///system' and
'virsh connect --readonly qemu:///system' will prompt for root password.
If the user is added to the libvirt group, only
'virsh connect --readonly qemu:///system' will prompt for root password.


This doesn't make sense - the readonly case should never prompt for
a password, since libvirtd.polkit.in grants that permission out of
the box.


I thought something smelled a bit fishy. I meant to annotate the patch with "It 
is possible I have a broader polkit config issue", but forgot before sending it 
last night.


And indeed after looking again today with fresh eyes I see the problem is in our 
polkit-default-privs package -> downstream bug. Ignore this patch.


Regards,
Jim

Re: [PATCH] polkit: Allow libvirt group access to libvirtd ro socket

2020-12-01 Thread Neal Gompa

On Tue, Dec 1, 2020 at 4:23 PM Jim Fehlig  wrote:
>
> On 12/1/20 2:17 AM, Daniel P. Berrangé wrote:
> > On Mon, Nov 30, 2020 at 05:28:16PM -0700, Jim Fehlig wrote:
> >> As a normal user, 'virsh connect qemu:///system' and
> >> 'virsh connect --readonly qemu:///system' will prompt for root password.
> >> If the user is added to the libvirt group, only
> >> 'virsh connect --readonly qemu:///system' will prompt for root password.
> >
> > This doesn't make sense - the readonly case should never prompt for
> > a password, since libvirtd.polkit.in grants that permission out of
> > the box.
>
> I thought something smelled a bit fishy. I meant to annotate the patch with 
> "It
> is possible I have a broader polkit config issue", but forgot before sending 
> it
> last night.
>
> And indeed after looking again today with fresh eyes I see the problem is in 
> our
> polkit-default-privs package -> downstream bug. Ignore this patch.
>

Hah, and I didn't catch this because I rip out the default openSUSE
stuff that ruins usability by restricting polkit too much. :)

Shame on me for not double checking my environment. :)


-- 
真実はいつも一つ！/ Always, there's only one truth!

Re: [PATCH] polkit: Allow libvirt group access to libvirtd ro socket

2020-12-01 Thread Erik Skultety

On Tue, Dec 01, 2020 at 09:17:01AM +, Daniel P. Berrangé wrote:
> On Mon, Nov 30, 2020 at 05:28:16PM -0700, Jim Fehlig wrote:
> > As a normal user, 'virsh connect qemu:///system' and
> > 'virsh connect --readonly qemu:///system' will prompt for root password.
> > If the user is added to the libvirt group, only
> > 'virsh connect --readonly qemu:///system' will prompt for root password.
> 
> This doesn't make sense - the readonly case should never prompt for
> a password, since libvirtd.polkit.in grants that permission out of
> the box. The libvirtd.rules file should just be extending what is
> defined in the main libvirtd.polkit file.

In fact, this caught my eye and it works as expected on Fedora, can you share a
bit more on what setup this fails for you?

Erik

Re: [PATCH] polkit: Allow libvirt group access to libvirtd ro socket

2020-12-01 Thread Daniel P . Berrangé

On Mon, Nov 30, 2020 at 05:28:16PM -0700, Jim Fehlig wrote:
> As a normal user, 'virsh connect qemu:///system' and
> 'virsh connect --readonly qemu:///system' will prompt for root password.
> If the user is added to the libvirt group, only
> 'virsh connect --readonly qemu:///system' will prompt for root password.

This doesn't make sense - the readonly case should never prompt for
a password, since libvirtd.polkit.in grants that permission out of
the box. The libvirtd.rules file should just be extending what is
defined in the main libvirtd.polkit file.

> 
> The libvirt polkit rules already allow libvirt group members access to
> the rw socket. Add a rule allowing to access the ro socket.
> 
> Signed-off-by: Jim Fehlig 
> ---
>  src/remote/libvirtd.rules | 11 +--
>  1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/src/remote/libvirtd.rules b/src/remote/libvirtd.rules
> index 01a15fac2e..d9be94fcc4 100644
> --- a/src/remote/libvirtd.rules
> +++ b/src/remote/libvirtd.rules
> @@ -1,5 +1,12 @@
> -// Allow any user in the 'libvirt' group to connect to system libvirtd
> -// without entering a password.
> +// Allow any user in the 'libvirt' group to connect to the system libvirtd
> +// ro and rw sockets without entering a password.
> +
> +polkit.addRule(function(action, subject) {
> +if (action.id == "org.libvirt.unix.monitor" &&
> +subject.isInGroup("libvirt")) {
> +return polkit.Result.YES;
> +}
> +});
>  
>  polkit.addRule(function(action, subject) {
>  if (action.id == "org.libvirt.unix.manage" &&
> -- 
> 2.29.2
> 
> 

Regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

[PATCH] polkit: Allow libvirt group access to libvirtd ro socket

2020-11-30 Thread Jim Fehlig

As a normal user, 'virsh connect qemu:///system' and
'virsh connect --readonly qemu:///system' will prompt for root password.
If the user is added to the libvirt group, only
'virsh connect --readonly qemu:///system' will prompt for root password.

The libvirt polkit rules already allow libvirt group members access to
the rw socket. Add a rule allowing to access the ro socket.

Signed-off-by: Jim Fehlig 
---
 src/remote/libvirtd.rules | 11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/remote/libvirtd.rules b/src/remote/libvirtd.rules
index 01a15fac2e..d9be94fcc4 100644
--- a/src/remote/libvirtd.rules
+++ b/src/remote/libvirtd.rules
@@ -1,5 +1,12 @@
-// Allow any user in the 'libvirt' group to connect to system libvirtd
-// without entering a password.
+// Allow any user in the 'libvirt' group to connect to the system libvirtd
+// ro and rw sockets without entering a password.
+
+polkit.addRule(function(action, subject) {
+if (action.id == "org.libvirt.unix.monitor" &&
+subject.isInGroup("libvirt")) {
+return polkit.Result.YES;
+}
+});
 
 polkit.addRule(function(action, subject) {
 if (action.id == "org.libvirt.unix.manage" &&
-- 
2.29.2

Re: [PATCH] polkit: Allow libvirt group access to libvirtd ro socket

2020-11-30 Thread Neal Gompa

On Mon, Nov 30, 2020 at 7:29 PM Jim Fehlig  wrote:
>
> As a normal user, 'virsh connect qemu:///system' and
> 'virsh connect --readonly qemu:///system' will prompt for root password.
> If the user is added to the libvirt group, only
> 'virsh connect --readonly qemu:///system' will prompt for root password.
>
> The libvirt polkit rules already allow libvirt group members access to
> the rw socket. Add a rule allowing to access the ro socket.
>
> Signed-off-by: Jim Fehlig 
> ---
>  src/remote/libvirtd.rules | 11 +--
>  1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/src/remote/libvirtd.rules b/src/remote/libvirtd.rules
> index 01a15fac2e..d9be94fcc4 100644
> --- a/src/remote/libvirtd.rules
> +++ b/src/remote/libvirtd.rules
> @@ -1,5 +1,12 @@
> -// Allow any user in the 'libvirt' group to connect to system libvirtd
> -// without entering a password.
> +// Allow any user in the 'libvirt' group to connect to the system libvirtd
> +// ro and rw sockets without entering a password.
> +
> +polkit.addRule(function(action, subject) {
> +if (action.id == "org.libvirt.unix.monitor" &&
> +subject.isInGroup("libvirt")) {
> +return polkit.Result.YES;
> +}
> +});
>
>  polkit.addRule(function(action, subject) {
>  if (action.id == "org.libvirt.unix.manage" &&
> --
> 2.29.2
>
>

LGTM.

Reviewed-by: Neal Gompa 


-- 
真実はいつも一つ！/ Always, there's only one truth!

Re: [PATCH] polkit: Allow libvirt group access to libvirtd ro socket

Re: [PATCH] polkit: Allow libvirt group access to libvirtd ro socket

Re: [PATCH] polkit: Allow libvirt group access to libvirtd ro socket

Re: [PATCH] polkit: Allow libvirt group access to libvirtd ro socket

Re: [PATCH] polkit: Allow libvirt group access to libvirtd ro socket

[PATCH] polkit: Allow libvirt group access to libvirtd ro socket

Re: [PATCH] polkit: Allow libvirt group access to libvirtd ro socket

7 matches

Site Navigation

Mail list logo

Footer information