On Fri, Apr 04, 2008 at 09:55:50AM +0200, Jim Meyering wrote:
"Daniel P. Berrange" <berrange@redhat.com> wrote:
This patch makes two adjustments to the way policy kit authentication is done.
- Currently the server unconditionally ask the client to do policykit authentication. This is unnecessary if the remote client is running as root, which we can check via UNIX socket credentials. Unconditionally asking plays havoc with SSH tunneling, so this patch makes it check the socket credentials ¬ ask for auth if the client is UID==0
- The virsh client will unconditionally call polkit-auth to request credentials. This is also unneccessary if the client is running as root, so this patch makes it skip that step as root.
The patch is bigger than it seems because removing an if() conditional made a huge chunk be re-indented.
Good idea. Looks fine. ACK.
[BTW, thanks for the SO_PEERCRED example -- I didn't know about it, and was surprised to find so little documentation on it. ]
There's lots more variants on this for other OS - DBus has a whole bunch of different implementations. Unfortunatley DBus is GPL/AFL licensed so I don't believe we can use their code for that directly. Dan. -- |: Red Hat, Engineering, Boston -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|