Re: [libvirt] [PATCH] polkit: Allow password-less access for 'libvirt' group

Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal. Let's finally add official support for this. Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirt' group. Create the group on RPM install https://bugzilla.redhat.com/show_bug.cgi?id=957300 --- daemon/50-libvirt.rules | 9 +++++++++ daemon/Makefile.am | 13 +++++++++++++ libvirt.spec.in | 15 +++++++++++++-- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 daemon/50-libvirt.rules diff --git a/daemon/50-libvirt.rules b/daemon/50-libvirt.rules new file mode 100644 index 0000000..01a15fa --- /dev/null +++ b/daemon/50-libvirt.rules @@ -0,0 +1,9 @@ +// Allow any user in the 'libvirt' group to connect to system libvirtd +// without entering a password. + +polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.isInGroup("libvirt")) { + return polkit.Result.YES; + } +});

diff --git a/daemon/Makefile.am b/daemon/Makefile.am index 300b9a5..e200ac1 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -53,6 +53,7 @@ EXTRA_DIST = \ libvirtd.init.in \ libvirtd.upstart \ libvirtd.policy.in \ + 50-libvirt.rules \ libvirtd.sasl \ libvirtd.service.in \ libvirtd.socket.in \ @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session else ! WITH_POLKIT0 policydir = $(datadir)/polkit-1/actions policyauth = auth_admin_keep +rulesdir = $(datadir)/polkit-1/rules.d +rulesfile = 50-libvirt.rules endif ! WITH_POLKIT0 endif WITH_POLKIT @@ -263,9 +266,19 @@ if WITH_POLKIT install-data-polkit:: $(MKDIR_P) $(DESTDIR)$(policydir) $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy +if ! WITH_POLKIT0 + $(MKDIR_P) $(DESTDIR)$(rulesdir) + $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir) +endif ! WITH_POLKIT0 + uninstall-data-polkit:: rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy rmdir $(DESTDIR)$(policydir) || : +if ! WITH_POLKIT0 + rm -f $(DESTDIR)$(rulesdir)/$(rulesfile) + rmdir $(DESTDIR)$(rulesdir) +endif ! WITH_POLKIT0 + else ! WITH_POLKIT install-data-polkit:: uninstall-data-polkit:: diff --git a/libvirt.spec.in b/libvirt.spec.in index 20af502..c71ef25 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1645,9 +1645,9 @@ then fi %if %{with_libvirtd} +%pre daemon %if ! %{with_driver_modules} %if %{with_qemu} -%pre daemon %if 0%{?fedora} || 0%{?rhel} >= 6 # We want soft static allocation of well-known ids, as disk images # are commonly shared across NFS mounts by id rather than name; see @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu fi fi -exit 0 %endif %endif %endif + %if %{with_polkit} + %if 0%{?fedora} || 0%{?rhel} >= 6 +# 'libvirt' group is just to allow password-less polkit access to +# libvirtd. The uid number is irrelevant, so we use dynamic allocation +# described at the above link. +getent group libvirt >/dev/null || groupadd -r libvirt + %endif + %endif + +exit 0 + %post daemon %if %{with_systemd} @@ -1939,6 +1949,7 @@ exit 0 %if 0%{?fedora} || 0%{?rhel} >= 6 %{_datadir}/polkit-1/actions/org.libvirt.unix.policy %{_datadir}/polkit-1/actions/org.libvirt.api.policy +%{_datadir}/polkit-1/rules.d/50-libvirt.rules %else %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy %endif -- 2.3.6 -- libvir-list mailing list libvir-list(a)redhat.com https://www.redhat.com/mailman/listinfo/libvir-list