
On Thu, Nov 29, 2007 at 05:18:41PM +0000, Daniel P. Berrange wrote:
This patch adds support for an PolicyKit authentication mechanism. This was previously described here:
http://www.redhat.com/archives/libvir-list/2007-September/msg00168.html
If PolicyKit is compiled in, then the UNIX domain sockets have their default settings changed to make sure of PolicyKit. Thus, when PolicyKit is enabled, both the RO & RW sockets are mode 0777. PolicyKit is then called upon client connect to decide whether to allow the client to gain access.
The policyfile is shipped in /usr/share/PolicyKit/policy and has default settings to mimic current non-PolicyKit access. If making a read-only connection, any application will be granted access by default. If making a read-write connection, applications will need to authenticate against policykit by providing the user's own password. This is akin to 'sudo' style auth. The credentials persist until the user logs out.
The file in /etc/PolicyKit/PolicyKit.conf can be used by the local sysadmin to override the default policy on a per-host basis. eg, they could restrict access to the read-only connections, or open up the read-write connections to more apps. See 'man PolicyKit.conf' for more info.
The configure script will check for PolicyKit using pkg-config and only enable it if actually present. So any OS without PolicyKit will not be impacted by this patch.
b/qemud/libvirtd.policy | 42 +++++++++++ configure.in | 25 ++++++ libvirt.spec.in | 3 qemud/Makefile.am | 11 ++ qemud/internal.h | 7 + qemud/libvirtd.conf | 18 +++- qemud/qemud.c | 37 +++++++++ qemud/remote.c | 135 +++++++++++++++++++++++++++++++++++- qemud/remote_dispatch_localvars.h | 1 qemud/remote_dispatch_proc_switch.h | 6 + qemud/remote_dispatch_prototypes.h | 1 qemud/remote_protocol.c | 9 ++ qemud/remote_protocol.h | 9 ++ qemud/remote_protocol.x | 10 ++ src/remote_internal.c | 35 +++++++++ 15 files changed, 340 insertions(+), 9 deletions(-)
If anyone has objections / comments wrt to this patch please say so now otherwise I'll commit it in an hour or so. Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|