Re: [Libvir] PATCH: 4/10: PolicyKit authentication support

5 Dec 2007


      On Thu, Nov 29, 2007 at 05:18:41PM +0000, Daniel P. Berrange wrote:
...
This patch adds support for an PolicyKit authentication mechanism. This
was previously described here:
http://www.redhat.com/archives/libvir-list/2007-September/msg00168.html
If PolicyKit is compiled in, then the UNIX domain sockets have their
default settings changed to make sure of PolicyKit. Thus, when PolicyKit
is enabled, both the RO & RW sockets are mode 0777. PolicyKit is then
called upon client connect to decide whether to allow the client to gain
access.
The policyfile is shipped in /usr/share/PolicyKit/policy and has default
settings to mimic current non-PolicyKit access. If making a read-only
connection, any application will be granted access by default. If making
a read-write connection, applications will need to authenticate against
policykit by providing the user's own password. This is akin to 'sudo'
style auth. The credentials persist until the user logs out.
The file in /etc/PolicyKit/PolicyKit.conf can be used by the local sysadmin
to override the default policy on a per-host basis. eg, they could restrict
access to the read-only connections, or open up the read-write connections
to more apps. See 'man PolicyKit.conf' for more info.
The configure script will check for PolicyKit using pkg-config and only
enable it if actually present. So any OS without PolicyKit will not be
impacted by this patch.
b/qemud/libvirtd.policy             |   42 +++++++++++
 configure.in                        |   25 ++++++
 libvirt.spec.in                     |    3 
 qemud/Makefile.am                   |   11 ++
 qemud/internal.h                    |    7 +
 qemud/libvirtd.conf                 |   18 +++-
 qemud/qemud.c                       |   37 +++++++++
 qemud/remote.c                      |  135 +++++++++++++++++++++++++++++++++++-
 qemud/remote_dispatch_localvars.h   |    1 
 qemud/remote_dispatch_proc_switch.h |    6 +
 qemud/remote_dispatch_prototypes.h  |    1 
 qemud/remote_protocol.c             |    9 ++
 qemud/remote_protocol.h             |    9 ++
 qemud/remote_protocol.x             |   10 ++
 src/remote_internal.c               |   35 +++++++++
 15 files changed, 340 insertions(+), 9 deletions(-)
If anyone has objections / comments wrt to this patch please say so now
otherwise I'll commit it in an hour or so.

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=|