Re: [libvirt] Can we allow users in 'qemu' group to skip polkit auth?
On Tue, Jun 11, 2013 at 17:11:12 -0400, Cole Robinson wrote:
There's a bug report filed against Fedora libvirt requesting a
polkit rule be
installed that grants read/write libvirt access to all users in the 'qemu'
group:
https://bugzilla.redhat.com/show_bug.cgi?id=957300
I'm inclined to agree with the reporter, and time has shown that many users
install custom polkit rules to grant their user passwordless access to libvirt
so this would definitely fill a need.
I'm sure there's plenty to consider here since we are talking about security.
Thoughts?
I don't know if it's a generally good idea or not being a polkit
illiterate, however, I know for sure it should not be allowed for 'qemu'
group. We certainly don't want QEMU (run as qemu:qemu) to be able to
mess with libvirt. That said, if we should create a dedicated 'libvirt'
group in case we implement the requested polkit rule.
Jirka