Re: [libvirt] [PATCH] PolicyKit: Check auth before asking client to obtain it

On Thu, Jan 05, 2012 at 01:12:37PM -0700, Eric Blake wrote: > On 01/03/2012 03:35 PM, Jim Fehlig wrote: > >> I previously mentioned [1] a PolicyKit issue where libvirt would >> proceed with authentication even though polkit-auth failed: >> >> testusr xen134:~> virsh list --all >> Attempting to obtain authorization for org.libvirt.unix.manage. >> polkit-grant-helper: given auth type (8 -> yes) is bogus >> Failed to obtain authorization for org.libvirt.unix.manage. >> Id Name State >> ---------------------------------- >> 0 Domain-0 running >> - sles11sp1-pv shut off >> >> AFAICT, libvirt attempts to obtain a privilege it already has, >> causing polkit-auth to fail with above message. Instead of calling >> obtain and then checking auth, IMO the workflow should be for the >> server to check auth first, and if that fails ask the client to >> obtain it and check again. This workflow also allows for checking >> only successful exit of polkit-auth in virConnectAuthGainPolkit(). >> >> [1] https://www.redhat.com/archives/libvir-list/2011-December/msg00837.html >> --- >> src/libvirt.c | 2 +- >> src/remote/remote_driver.c | 11 +++++++++++ >> 2 files changed, 12 insertions(+), 1 deletions(-) >> > This looks reasonable to me, but I'd like a second opinion from someone > more familiar with the PolicyKit code before you push anything (that > would probably be DV or danpb). If they agree, then I think it can go > in 0.9.9. > ACK

Out of interest, what Suse distro releases are still relying on the old policy kit code, as opposed to the new style ?