libvirt can be configured in two ways, to use policykit for authentication, or to use traditional unix permissions. Ubuntu uses the traditional permissions configuration, not the policykit one.
libvirt-dbus ships with a /var/lib/polkit-1/localauthority/10-vendor.d /libvirt-dbus.pkla file that contains: [Allow libvirt-dbus to manage libvirt] Identity=unix-user:libvirtdbus Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes ResultActive=yes This allows the libvirtdbus user to manage libvirt. Since we don't use the policykit configuration, this has no effect. The equivalent would be in fact to add the libvirtdbus user to the libvirt group as suggested above. To prevent unprivileged users from connecting to the libvirt-dbus daemon, it uses a dbus configuration file at /usr/share/dbus-1/system.d/org.libvirt.conf which only allows the root user and members of the libvirt group access to the service. I have confirmed that adding the libvirtdbus user to the libvirt group as listed above allows the service to function, while blocking unprivileged users from accessing it, so +1 from me. As for the second configuration change above, adding the libvirt-qemu user to the libvirt group, I am not sure why that is required. Could someone explain why that would be required? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802005 Title: socket is inaccessible for libvirt-dbus To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1802005/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
