mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-04-01 20:05:19 +00:00
polkit: Allow password-less access for 'libvirt' group
Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal. Let's finally add official support for this. Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirt' group. Create the group on RPM install https://bugzilla.redhat.com/show_bug.cgi?id=957300
This commit is contained in:
parent
28c547ed6d
commit
e94979e901
@ -53,6 +53,7 @@ EXTRA_DIST = \
|
||||
libvirtd.init.in \
|
||||
libvirtd.upstart \
|
||||
libvirtd.policy.in \
|
||||
libvirt.rules \
|
||||
libvirtd.sasl \
|
||||
libvirtd.service.in \
|
||||
libvirtd.socket.in \
|
||||
@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session
|
||||
else ! WITH_POLKIT0
|
||||
policydir = $(datadir)/polkit-1/actions
|
||||
policyauth = auth_admin_keep
|
||||
rulesdir = $(datadir)/polkit-1/rules.d
|
||||
rulesfile = libvirt.rules
|
||||
endif ! WITH_POLKIT0
|
||||
endif WITH_POLKIT
|
||||
|
||||
@ -263,9 +266,19 @@ if WITH_POLKIT
|
||||
install-data-polkit::
|
||||
$(MKDIR_P) $(DESTDIR)$(policydir)
|
||||
$(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
|
||||
if ! WITH_POLKIT0
|
||||
$(MKDIR_P) $(DESTDIR)$(rulesdir)
|
||||
$(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules
|
||||
endif ! WITH_POLKIT0
|
||||
|
||||
uninstall-data-polkit::
|
||||
rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
|
||||
rmdir $(DESTDIR)$(policydir) || :
|
||||
if ! WITH_POLKIT0
|
||||
rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules
|
||||
rmdir $(DESTDIR)$(rulesdir) || :
|
||||
endif ! WITH_POLKIT0
|
||||
|
||||
else ! WITH_POLKIT
|
||||
install-data-polkit::
|
||||
uninstall-data-polkit::
|
||||
|
9
daemon/libvirt.rules
Normal file
9
daemon/libvirt.rules
Normal file
@ -0,0 +1,9 @@
|
||||
// Allow any user in the 'libvirt' group to connect to system libvirtd
|
||||
// without entering a password.
|
||||
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (action.id == "org.libvirt.unix.manage" &&
|
||||
subject.isInGroup("libvirt")) {
|
||||
return polkit.Result.YES;
|
||||
}
|
||||
});
|
@ -1645,9 +1645,9 @@ then
|
||||
fi
|
||||
|
||||
%if %{with_libvirtd}
|
||||
%pre daemon
|
||||
%if ! %{with_driver_modules}
|
||||
%if %{with_qemu}
|
||||
%pre daemon
|
||||
%if 0%{?fedora} || 0%{?rhel} >= 6
|
||||
# We want soft static allocation of well-known ids, as disk images
|
||||
# are commonly shared across NFS mounts by id rather than name; see
|
||||
@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then
|
||||
useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
|
||||
fi
|
||||
fi
|
||||
exit 0
|
||||
%endif
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%if %{with_polkit}
|
||||
%if 0%{?fedora} || 0%{?rhel} >= 6
|
||||
# 'libvirt' group is just to allow password-less polkit access to
|
||||
# libvirtd. The uid number is irrelevant, so we use dynamic allocation
|
||||
# described at the above link.
|
||||
getent group libvirt >/dev/null || groupadd -r libvirt
|
||||
%endif
|
||||
%endif
|
||||
|
||||
exit 0
|
||||
|
||||
%post daemon
|
||||
|
||||
%if %{with_systemd}
|
||||
@ -1939,6 +1949,7 @@ exit 0
|
||||
%if 0%{?fedora} || 0%{?rhel} >= 6
|
||||
%{_datadir}/polkit-1/actions/org.libvirt.unix.policy
|
||||
%{_datadir}/polkit-1/actions/org.libvirt.api.policy
|
||||
%{_datadir}/polkit-1/rules.d/50-libvirt.rules
|
||||
%else
|
||||
%{_datadir}/PolicyKit/policy/org.libvirt.unix.policy
|
||||
%endif
|
||||
|
Loading…
x
Reference in New Issue
Block a user