Re: Changing permissions for /var/lib/libvirt/images/

On Fri, Aug 30, 2024 at 14:43:02 +0200, Lee Garrett wrote: Non-root users of libvirt can still keep their images in the home directory and don't actually have to use /var/lib/libvirt/images. virt-v2v in non-root mode should not actually use that directory but rather use one in the path it is allowed to. By default non-root users are required to authenticate via polkit first to access the system (root) instance of libvirt daemons. Then they normally can use all of libvirt APIs, but admins can also define ACL rules for certain objects removing the ability to see or manage certain objects or restrict certain actions (based on what the admin wants). Effectively a user of the system instance who is allowed to modify the VM xml has access level equivalent to the root user as VM xml can be crafted such that it executes a binary as root. Users wanting to use the non-root (session) instance don't need to actually be part of the libvirt group and thus don't have access to the system instance at all. Allowing 'w=rw' on a directory can bypass the ACL rules if there were any restrictions placed on them. Additionally as users of session instance of libvirt don't even need to be part of the privikleged group. Also in cases when the system is set up to have a different filesystem for home directories, this could bypass this split by allowing certain users to write into /var/. As of such I don't think we'd want to do what you propose.