On Fri, 5 Dec 2025, at 14:31, Peter Krempa wrote: >> >> Then, as far as I can tell, there's lots of sockets with different >> >> permissions created by systemd in /run/libvirt (e.g. libvirt-admin-sock, >> >> libvirt-sock, libvirt-sock-ro). But since they're all passed to libvirtd >> >> as open file descriptors, I don't understand how they can give different >> >> levels of access (since libvirtd has no way of knowing which socket was >> >> used). >> > >> > Libvirt actually does know what socket you've used to connect to it and >> > actually also knows the UID of the connecting client. This allows >> > filtering access on a granular level with our ACL support. >> >> Hmm.. I'm still confused that none of the socket names are mentioned >> anywhere in the libvirtd config. For example, if I grep for `sock-ro` or >> `admin-sock` in /etc/libvirt, I get no matches. > > The full names are not mentioned, but the corresponing settings in each > config file for the daemon are: > > unix_sock_group > unix_sock_ro_perms > unix_sock_rw_perms > > etc. > > The documentation also outlines the settings.
Right. But these define the permissions of the socket when unit activation is not used. What I'm asking is, assuming someone has permission to connect to a socket, which operations can be done through the different sockets? I assume there has to be a difference, otherwise why have different sockets. Best, -Nikolaus
