| Summary: | Use Unix socket authentication for libvirtd, instead of default polkit | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | David Gibson <dgibson> |
| Component: | vdsm | Assignee: | Douglas Schilling Landgraf <dougsland> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 3.2.0 | CC: | bazulay, danken, dougsland, fdeutsch, gouyang, hateya, iheim, lpeer, mhuth, michal.skrivanek, pstehlik, yeylon |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | 3.4.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | infra | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-01-07 17:03:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Douglas, can you tell if any RHEV-M related compoent writes the libvirt config which is required by vdsm? Hello Fabian, (In reply to Fabian Deutsch from comment #1) > Douglas, > > can you tell if any RHEV-M related compoent writes the libvirt config which > is required by vdsm? vdsm does the changes into libvirt. Thanks Douglas. Then I'll move it to vdsm. ovirt-node is still messing around a bit with the libvirtd.conf file, but we want to drop this in future. (Some log levels are adjusted initially - I don't knwo if this code is even effectively used) Dan, what do you think ? I think there's a little confusion here. Vdsm does not use polkit to access libvirt, it uses sasl. sasl, and its non-secret "password" was not chosen on a whim. It has been an explicit (yet very annoying) request to make it harder on local root user to make changes to libvirt below the feet of Vdsm. Years ago I found this requirement pretty silly. root can `pkill qemu`, gdb libvirtd, and generally do whatever they wants to do. Still, these symbolic handcuffs are reportedly helping us avoid bugs. If you are looking for something other than dropping the sasl password, please reopen the bug and explain. Huh. I guess that does make sense. It might be nice to have some comments explaining that rationale in the default libvirtd.conf file, though. I would not mind a one-liner comment just above the "sasl" assignment. Would you send it to gerrit.ovirt.org? |
Description of problem: Currently libvirtd on a RHEV-H machine is configured with a fixed (and therefore insecure) username/password combination of vdsm@rhevh/shibboleth. Because the libvirtd unix socket is only available on the closed rhev-h system, this insecure password does not result in an actual system vulnerability. However, we can accomplish the same effect more directly by instead configuring libvirtd to rely on its socket's unix permissions for authentication instead of using the polkit layer with: auth_unix_ro = "none" auth_unix_rw = "none" in /etc/libvirt/libvirtd.conf. As long as the vdsm user is in the correct group this will allow similar security, while making debug easier by allowing virsh commands to be run as root without further authentication by a magic username/password combination.