Re: [libvirt] problems with remote authentication with policykit
On Wed, Jun 17, 2009 at 05:51:27PM -0400, Jim Paris wrote:
Daniel P. Berrange wrote:
17:34:59.360: debug : call:6947 : Doing call 70 (nil)
17:34:59.360: debug : call:7017 : We have the buck 70 0xbccef0 0xbccef0
17:34:59.433: debug : processCallRecvLen:6605 : Got length, now need 128 total (124
more)
17:34:59.434: debug : processCalls:6873 : Giving up the buck 70 0xbccef0 (nil)
17:34:59.434: debug : call:7048 : All done with our call 70 (nil) 0xbccef0
17:34:59.434: error : server_error:7231 : authentication failed
17:35:13.585: debug : do_open:999 : driver 4 remote returned ERROR
17:35:13.585: debug : virUnrefConnect:232 : unref connection 0xbc6a60 1
17:35:13.585: debug : virReleaseConnect:191 : release connection 0xbc6a60
If I kill the libvirtd process on the server, the client then finally prints:
error: authentication failed
error: failed to connect to the hypervisor
and the client then exits.
Ok, this bit definitely sounds like a server side bug, unless
perhaps there is some buffering taking place in ssh or nc
causing the errore reply packet to not be send back promptly
On the server side, the libvirtd output is
17:34:59.378: debug : remoteDispatchAuthPolkit:3385 : Start PolicyKit auth 25
17:34:59.378: info : remoteDispatchAuthPolkit:3396 : Checking PID 7551 running as 1000
17:34:59.379: debug : virEventRunOnce:567 : Poll got 1 event
17:34:59.379: debug : virEventDispatchHandles:450 : Dispatch n=2 f=9 w=3 e=1 0x1a72790
17:34:59.379: debug : nodeDeviceLock:52 : LOCK node 0x1a748e0
17:34:59.379: debug : nodeDeviceUnlock:57 : UNLOCK node 0x1a748e0
17:34:59.426: error : remoteDispatchAuthPolkit:3451 : Policy kit denied action
org.libvirt.unix.manage from pid 7551, uid 1000, result: auth_admin_keep_session
The hang aside, it seems libvirtd should be using
org.libvirt.unix.monitor for the readonly connection?
In this case the problem is that the remote client end is using
netcat on the wrong UNIX socket.
In remote_internal.c it does
cmd_argv[j++] = strdup (sockname ? sockname : LIBVIRTD_PRIV_UNIX_SOCKET);
When it should be doing
cmd_argv[j++] = strdup (sockname ? sockname :
(flags & VIR_CONNECT_IO ? LIBVIRTD_PRIV_UNIX_SOCKET_RO
: LIBVIRTD_PRIV_UNIX_SOCKET);
that would make libvirtd use the correct permission check
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|