[libvirt] [PATCH] polkit: Allow password-less access for 'libvirt' group

Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal. Let's finally add official support for this. Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirt' group. Create the group on RPM install https://bugzilla.redhat.com/show_bug.cgi?id=957300 --- daemon/50-libvirt.rules | 9 +++++++++ daemon/Makefile.am | 13 +++++++++++++ libvirt.spec.in | 15 +++++++++++++-- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 daemon/50-libvirt.rules diff --git a/daemon/50-libvirt.rules b/daemon/50-libvirt.rules new file mode 100644 index 0000000..01a15fa --- /dev/null +++ b/daemon/50-libvirt.rules @@ -0,0 +1,9 @@ +// Allow any user in the 'libvirt' group to connect to system libvirtd +// without entering a password. + +polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.isInGroup("libvirt")) { + return polkit.Result.YES; + } +}); diff --git a/daemon/Makefile.am b/daemon/Makefile.am index 300b9a5..e200ac1 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -53,6 +53,7 @@ EXTRA_DIST = \ libvirtd.init.in \ libvirtd.upstart \ libvirtd.policy.in \ + 50-libvirt.rules \ libvirtd.sasl \ libvirtd.service.in \ libvirtd.socket.in \ @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session else ! WITH_POLKIT0 policydir = $(datadir)/polkit-1/actions policyauth = auth_admin_keep +rulesdir = $(datadir)/polkit-1/rules.d +rulesfile = 50-libvirt.rules endif ! WITH_POLKIT0 endif WITH_POLKIT @@ -263,9 +266,19 @@ if WITH_POLKIT install-data-polkit:: $(MKDIR_P) $(DESTDIR)$(policydir) $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy +if ! WITH_POLKIT0 + $(MKDIR_P) $(DESTDIR)$(rulesdir) + $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir) +endif ! WITH_POLKIT0 + uninstall-data-polkit:: rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy rmdir $(DESTDIR)$(policydir) || : +if ! WITH_POLKIT0 + rm -f $(DESTDIR)$(rulesdir)/$(rulesfile) + rmdir $(DESTDIR)$(rulesdir) +endif ! WITH_POLKIT0 + else ! WITH_POLKIT install-data-polkit:: uninstall-data-polkit:: diff --git a/libvirt.spec.in b/libvirt.spec.in index 20af502..c71ef25 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1645,9 +1645,9 @@ then fi %if %{with_libvirtd} +%pre daemon %if ! %{with_driver_modules} %if %{with_qemu} -%pre daemon %if 0%{?fedora} || 0%{?rhel} >= 6 # We want soft static allocation of well-known ids, as disk images # are commonly shared across NFS mounts by id rather than name; see @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu fi fi -exit 0 %endif %endif %endif + %if %{with_polkit} + %if 0%{?fedora} || 0%{?rhel} >= 6 +# 'libvirt' group is just to allow password-less polkit access to +# libvirtd. The uid number is irrelevant, so we use dynamic allocation +# described at the above link. +getent group libvirt >/dev/null || groupadd -r libvirt + %endif + %endif + +exit 0 + %post daemon %if %{with_systemd} @@ -1939,6 +1949,7 @@ exit 0 %if 0%{?fedora} || 0%{?rhel} >= 6 %{_datadir}/polkit-1/actions/org.libvirt.unix.policy %{_datadir}/polkit-1/actions/org.libvirt.api.policy +%{_datadir}/polkit-1/rules.d/50-libvirt.rules %else %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy %endif -- 2.3.6

On 04/28/2015 05:51 PM, Cole Robinson wrote:
Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirt' group. Create the group on RPM install
https://bugzilla.redhat.com/show_bug.cgi?id=957300 --- daemon/50-libvirt.rules | 9 +++++++++
Let's just name it daemon/libvirt.rules in git, and only rename it as part of installation (to make it a bit more obvious that someone could rename it to something other than 50- if they want a different priority).
daemon/Makefile.am | 13 +++++++++++++ libvirt.spec.in | 15 +++++++++++++-- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 daemon/50-libvirt.rules
-- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org

On Tue, Apr 28, 2015 at 07:51:11PM -0400, Cole Robinson wrote:
Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirt' group. Create the group on RPM install
I think perhaps we should also call it 'libvirtadm' in case we want to use a 'libvirt' group for other purposes in the future. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

On Tue, Apr 28, 2015 at 07:51:11PM -0400, Cole Robinson wrote:
Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirt' group. Create the group on RPM install
https://bugzilla.redhat.com/show_bug.cgi?id=957300 --- daemon/50-libvirt.rules | 9 +++++++++ daemon/Makefile.am | 13 +++++++++++++ libvirt.spec.in | 15 +++++++++++++-- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 daemon/50-libvirt.rules
diff --git a/daemon/50-libvirt.rules b/daemon/50-libvirt.rules new file mode 100644 index 0000000..01a15fa --- /dev/null +++ b/daemon/50-libvirt.rules @@ -0,0 +1,9 @@ +// Allow any user in the 'libvirt' group to connect to system libvirtd +// without entering a password. + +polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.isInGroup("libvirt")) { + return polkit.Result.YES; + } +});
That's what we're shipping in Debian since quiet some time: https://anonscm.debian.org/cgit/pkg-libvirt/libvirt.git/tree/debian/polkit/6... even with the same group name (which came from the group that owns the socket for socket based permissions). Would be great to be consistent across distros.
diff --git a/daemon/Makefile.am b/daemon/Makefile.am index 300b9a5..e200ac1 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -53,6 +53,7 @@ EXTRA_DIST = \ libvirtd.init.in \ libvirtd.upstart \ libvirtd.policy.in \ + 50-libvirt.rules \ libvirtd.sasl \ libvirtd.service.in \ libvirtd.socket.in \ @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session else ! WITH_POLKIT0 policydir = $(datadir)/polkit-1/actions policyauth = auth_admin_keep +rulesdir = $(datadir)/polkit-1/rules.d +rulesfile = 50-libvirt.rules endif ! WITH_POLKIT0 endif WITH_POLKIT
@@ -263,9 +266,19 @@ if WITH_POLKIT install-data-polkit:: $(MKDIR_P) $(DESTDIR)$(policydir) $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy +if ! WITH_POLKIT0 + $(MKDIR_P) $(DESTDIR)$(rulesdir) + $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir) +endif ! WITH_POLKIT0 + uninstall-data-polkit:: rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy rmdir $(DESTDIR)$(policydir) || : +if ! WITH_POLKIT0 + rm -f $(DESTDIR)$(rulesdir)/$(rulesfile) + rmdir $(DESTDIR)$(rulesdir) +endif ! WITH_POLKIT0 + else ! WITH_POLKIT install-data-polkit:: uninstall-data-polkit:: diff --git a/libvirt.spec.in b/libvirt.spec.in index 20af502..c71ef25 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1645,9 +1645,9 @@ then fi
%if %{with_libvirtd} +%pre daemon %if ! %{with_driver_modules} %if %{with_qemu} -%pre daemon %if 0%{?fedora} || 0%{?rhel} >= 6 # We want soft static allocation of well-known ids, as disk images # are commonly shared across NFS mounts by id rather than name; see @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu fi fi -exit 0 %endif %endif %endif
+ %if %{with_polkit} + %if 0%{?fedora} || 0%{?rhel} >= 6 +# 'libvirt' group is just to allow password-less polkit access to +# libvirtd. The uid number is irrelevant, so we use dynamic allocation +# described at the above link. +getent group libvirt >/dev/null || groupadd -r libvirt + %endif + %endif + +exit 0 + %post daemon
%if %{with_systemd} @@ -1939,6 +1949,7 @@ exit 0 %if 0%{?fedora} || 0%{?rhel} >= 6 %{_datadir}/polkit-1/actions/org.libvirt.unix.policy %{_datadir}/polkit-1/actions/org.libvirt.api.policy +%{_datadir}/polkit-1/rules.d/50-libvirt.rules %else %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy %endif -- 2.3.6
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
ACK. -- Guido

On 04/29/2015 03:42 PM, Guido Günther wrote:
On Tue, Apr 28, 2015 at 07:51:11PM -0400, Cole Robinson wrote:
Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirt' group. Create the group on RPM install
https://bugzilla.redhat.com/show_bug.cgi?id=957300 --- daemon/50-libvirt.rules | 9 +++++++++ daemon/Makefile.am | 13 +++++++++++++ libvirt.spec.in | 15 +++++++++++++-- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 daemon/50-libvirt.rules
diff --git a/daemon/50-libvirt.rules b/daemon/50-libvirt.rules new file mode 100644 index 0000000..01a15fa --- /dev/null +++ b/daemon/50-libvirt.rules @@ -0,0 +1,9 @@ +// Allow any user in the 'libvirt' group to connect to system libvirtd +// without entering a password. + +polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.isInGroup("libvirt")) { + return polkit.Result.YES; + } +});
That's what we're shipping in Debian since quiet some time:
https://anonscm.debian.org/cgit/pkg-libvirt/libvirt.git/tree/debian/polkit/6...
even with the same group name (which came from the group that owns the socket for socket based permissions). Would be great to be consistent across distros.
Latest version of the patch uses libvirtadm at Dan's suggestion... but if there's already precedent with what debian is shipping we might want to stick with plain 'libvirt'. Dan, thoughts? - Cole

On Wed, Apr 29, 2015 at 03:44:46PM -0400, Cole Robinson wrote:
On 04/29/2015 03:42 PM, Guido Günther wrote:
On Tue, Apr 28, 2015 at 07:51:11PM -0400, Cole Robinson wrote:
Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirt' group. Create the group on RPM install
https://bugzilla.redhat.com/show_bug.cgi?id=957300 --- daemon/50-libvirt.rules | 9 +++++++++ daemon/Makefile.am | 13 +++++++++++++ libvirt.spec.in | 15 +++++++++++++-- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 daemon/50-libvirt.rules
diff --git a/daemon/50-libvirt.rules b/daemon/50-libvirt.rules new file mode 100644 index 0000000..01a15fa --- /dev/null +++ b/daemon/50-libvirt.rules @@ -0,0 +1,9 @@ +// Allow any user in the 'libvirt' group to connect to system libvirtd +// without entering a password. + +polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.isInGroup("libvirt")) { + return polkit.Result.YES; + } +});
That's what we're shipping in Debian since quiet some time:
https://anonscm.debian.org/cgit/pkg-libvirt/libvirt.git/tree/debian/polkit/6...
even with the same group name (which came from the group that owns the socket for socket based permissions). Would be great to be consistent across distros.
Latest version of the patch uses libvirtadm at Dan's suggestion... but if there's already precedent with what debian is shipping we might want to stick with plain 'libvirt'.
Dan, thoughts?
Yeah, since both Suse and Debian have shipped this aready with a group name of 'libvirt', we should use that for consistency Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

On 04/30/2015 05:21 AM, Daniel P. Berrange wrote:
On Wed, Apr 29, 2015 at 03:44:46PM -0400, Cole Robinson wrote:
On 04/29/2015 03:42 PM, Guido Günther wrote:
On Tue, Apr 28, 2015 at 07:51:11PM -0400, Cole Robinson wrote:
Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirt' group. Create the group on RPM install
https://bugzilla.redhat.com/show_bug.cgi?id=957300 --- daemon/50-libvirt.rules | 9 +++++++++ daemon/Makefile.am | 13 +++++++++++++ libvirt.spec.in | 15 +++++++++++++-- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 daemon/50-libvirt.rules
diff --git a/daemon/50-libvirt.rules b/daemon/50-libvirt.rules new file mode 100644 index 0000000..01a15fa --- /dev/null +++ b/daemon/50-libvirt.rules @@ -0,0 +1,9 @@ +// Allow any user in the 'libvirt' group to connect to system libvirtd +// without entering a password. + +polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.isInGroup("libvirt")) { + return polkit.Result.YES; + } +});
That's what we're shipping in Debian since quiet some time:
https://anonscm.debian.org/cgit/pkg-libvirt/libvirt.git/tree/debian/polkit/6...
even with the same group name (which came from the group that owns the socket for socket based permissions). Would be great to be consistent across distros.
Latest version of the patch uses libvirtadm at Dan's suggestion... but if there's already precedent with what debian is shipping we might want to stick with plain 'libvirt'.
Dan, thoughts?
Yeah, since both Suse and Debian have shipped this aready with a group name of 'libvirt', we should use that for consistency
Regards, Daniel
Okay, sent v3 with group=libvirt. If there's no objections I'll push after the release is out Thanks, Cole

Guido Günther wrote:
On Tue, Apr 28, 2015 at 07:51:11PM -0400, Cole Robinson wrote:
Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirt' group. Create the group on RPM install
https://bugzilla.redhat.com/show_bug.cgi?id=957300 --- daemon/50-libvirt.rules | 9 +++++++++ daemon/Makefile.am | 13 +++++++++++++ libvirt.spec.in | 15 +++++++++++++-- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 daemon/50-libvirt.rules
diff --git a/daemon/50-libvirt.rules b/daemon/50-libvirt.rules new file mode 100644 index 0000000..01a15fa --- /dev/null +++ b/daemon/50-libvirt.rules @@ -0,0 +1,9 @@ +// Allow any user in the 'libvirt' group to connect to system libvirtd +// without entering a password. + +polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.isInGroup("libvirt")) { + return polkit.Result.YES; + } +});
That's what we're shipping in Debian since quiet some time:
https://anonscm.debian.org/cgit/pkg-libvirt/libvirt.git/tree/debian/polkit/6...
Heh, I recently accepted a similar change for openSUSE https://build.opensuse.org/package/view_file/Virtualization/libvirt/polkit-1... Regards, Jim
participants (5)
-
Cole Robinson
-
Daniel P. Berrange
-
Eric Blake
-
Guido Günther
-
Jim Fehlig