[libvirt] [PATCH v2] polkit: Allow password-less access for 'libvirtadm' group
Many users, who admin their own machines, want to be able to access
system libvirtd via tools like virt-manager without having to enter
a root password. Just google 'virt-manager without password' and
you'll find many hits. I've read at least 5 blog posts over the years
describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user
in the new 'libvirtadm' group. Create the group on RPM install
https://bugzilla.redhat.com/show_bug.cgi?id=957300
---
v2:
- Name the group libvirtadm (danpb)
- Name the source file libvirt.rules and rename on install (eblake)
daemon/Makefile.am | 13 +++++++++++++
daemon/libvirt.rules | 9 +++++++++
libvirt.spec.in | 15 +++++++++++++--
3 files changed, 35 insertions(+), 2 deletions(-)
create mode 100644 daemon/libvirt.rules
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index 300b9a5..974feed 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -53,6 +53,7 @@ EXTRA_DIST = \
libvirtd.init.in \
libvirtd.upstart \
libvirtd.policy.in \
+ libvirt.rules \
libvirtd.sasl \
libvirtd.service.in \
libvirtd.socket.in \
@@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session
else ! WITH_POLKIT0
policydir = $(datadir)/polkit-1/actions
policyauth = auth_admin_keep
+rulesdir = $(datadir)/polkit-1/rules.d
+rulesfile = libvirt.rules
endif ! WITH_POLKIT0
endif WITH_POLKIT
@@ -263,9 +266,19 @@ if WITH_POLKIT
install-data-polkit::
$(MKDIR_P) $(DESTDIR)$(policydir)
$(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
+if ! WITH_POLKIT0
+ $(MKDIR_P) $(DESTDIR)$(rulesdir)
+ $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules
+endif ! WITH_POLKIT0
+
uninstall-data-polkit::
rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
rmdir $(DESTDIR)$(policydir) || :
+if ! WITH_POLKIT0
+ rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules
+ rmdir $(DESTDIR)$(rulesdir) || :
+endif ! WITH_POLKIT0
+
else ! WITH_POLKIT
install-data-polkit::
uninstall-data-polkit::
diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules
new file mode 100644
index 0000000..e70c09b
--- /dev/null
+++ b/daemon/libvirt.rules
@@ -0,0 +1,9 @@
+// Allow any user in the 'libvirtadm' group to connect to system libvirtd
+// without entering a password.
+
+polkit.addRule(function(action, subject) {
+ if (action.id == "org.libvirt.unix.manage" &&
+ subject.isInGroup("libvirtadm")) {
+ return polkit.Result.YES;
+ }
+});
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 20af502..10a28a2 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1645,9 +1645,9 @@ then
fi
%if %{with_libvirtd}
+%pre daemon
%if ! %{with_driver_modules}
%if %{with_qemu}
-%pre daemon
%if 0%{?fedora} || 0%{?rhel} >= 6
# We want soft static allocation of well-known ids, as disk images
# are commonly shared across NFS mounts by id rather than name; see
@@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then
useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
fi
fi
-exit 0
%endif
%endif
%endif
+ %if %{with_polkit}
+ %if 0%{?fedora} || 0%{?rhel} >= 6
+# 'libvirtadm' group is just to allow password-less polkit access to
+# libvirtd. The uid number is irrelevant, so we use dynamic allocation
+# described at the above link.
+getent group libvirtadm >/dev/null || groupadd -r libvirtadm
+ %endif
+ %endif
+
+exit 0
+
%post daemon
%if %{with_systemd}
@@ -1939,6 +1949,7 @@ exit 0
%if 0%{?fedora} || 0%{?rhel} >= 6
%{_datadir}/polkit-1/actions/org.libvirt.unix.policy
%{_datadir}/polkit-1/actions/org.libvirt.api.policy
+%{_datadir}/polkit-1/rules.d/50-libvirt.rules
%else
%{_datadir}/PolicyKit/policy/org.libvirt.unix.policy
%endif
--
2.3.6