Re: [libvirt] [PATCH] PolicyKit: Check auth before asking client to obtain it

On 01/03/2012 03:35 PM, Jim Fehlig wrote: > I previously mentioned [1] a PolicyKit issue where libvirt would > proceed with authentication even though polkit-auth failed: > > testusr xen134:~> virsh list --all > Attempting to obtain authorization for org.libvirt.unix.manage. > polkit-grant-helper: given auth type (8 -> yes) is bogus > Failed to obtain authorization for org.libvirt.unix.manage. > Id Name State > ---------------------------------- > 0 Domain-0 running > - sles11sp1-pv shut off > > AFAICT, libvirt attempts to obtain a privilege it already has, > causing polkit-auth to fail with above message. Instead of calling > obtain and then checking auth, IMO the workflow should be for the > server to check auth first, and if that fails ask the client to > obtain it and check again. This workflow also allows for checking > only successful exit of polkit-auth in virConnectAuthGainPolkit(). > > [1] https://www.redhat.com/archives/libvir-list/2011-December/msg00837.html > --- > src/libvirt.c | 2 +- > src/remote/remote_driver.c | 11 +++++++++++ > 2 files changed, 12 insertions(+), 1 deletions(-) This looks reasonable to me, but I'd like a second opinion from someone more familiar with the PolicyKit code before you push anything (that would probably be DV or danpb). If they agree, then I think it can go in 0.9.9.