On Fri, Oct 27, 2017 at 04:35:39PM +0200, Pino Toscano wrote:
On Friday, 27 October 2017 16:18:42 CEST Daniel P. Berrange wrote:
There is no reason for the libvirt-dbus daemon to require root privileges. All it actually needs is ability to connect to libvirtd, which can be achieved by dropping in a polkit configuration file
Now a libvirt connection to the system bus gives you privileges equivalent to root, so this doesn't really improve security on its own. It relies on there being a dbus policy that prevents users from issuing elevated APIs.
For example, a DBus policy could allow non-root users to list VMs on the system bus and get their status (aka virsh list equiv). In this case, the security isolation does give some benefit.
Security can be further improved if the admin uses the libvirt polkit file to restrict what libvirt-dbus is permitted to do.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- [...] diff --git a/data/system/org.libvirt.conf b/data/system/org.libvirt.conf index 5cbc732..2b11717 100644 --- a/data/system/org.libvirt.conf +++ b/data/system/org.libvirt.conf @@ -4,7 +4,7 @@
<busconfig>
- <policy user="root"> + <policy user="libvirtdbus"> <allow own="org.libvirt"/> <allow send_destination="org.libvirt"/> </policy>
Most probably this file should be git rm'ed, and added to the .gitignore.
Urgh yes. It seems the deletion got lost when I did a git stash and then unstashed. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|