5 Dec
2025
5 Dec
'25
11:51 p.m.
Hi Peter! On Fri, 5 Dec 2025, at 14:40, Peter Krempa wrote:
Therefore, I'd like to give users more limited permissions - but I'm a bit lost about the best way to approach that. It seems that I could:
- tighten (or relax) socket permissions in the systemd config
- switch off socket activation and configure socket permissions in libvirtd.conf
- Configure socket-dependent permissions in libvirt
None of this will help unless you trust the user. Whoever is able to define a full XML is effectively root.
I was thinking that perhaps there is a socket that I can configure in such a way that it doesn't allow defining the XML? (I thought that the -ro.socket might do something like this) Best, -Nikolaus