Bug 795978

Summary: polkit authorization broken in libvirt 0.9.10
Product: Red Hat Enterprise Linux 6 Reporter: Eric Blake <eblake>
Component: libvirtAssignee: Eric Blake <eblake>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: acathrow, berrange, clalancette, crobinso, dougsland, dpierce, dyuan, eblake, frankly3d, hbrock, itamar, jforbes, laine, libvirt-maint, mzhan, rwu, veillard, virt-maint, weizhan, whuang, ydu
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-0.9.10-3.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 790037 Environment:
Last Closed: 2012-06-20 06:48:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 790037    
Bug Blocks:    

Description Eric Blake 2012-02-21 22:41:51 UTC 
cloning from fedora to rhel

+++ This bug was initially created as a clone of Bug #790037 +++

Description of problem:

1: enable dbus.service
2. enable avahi-daemon.service
3. start libvirtd.service

on command line:

systemctl status libvirtd.service
libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled)
   Active: active (running) since Mon, 13 Feb 2012 14:07:21 +0000; 18s ago
 Main PID: 1830 (libvirtd)
   CGroup: name=systemd:/system/libvirtd.service
    ├ 1830 /usr/sbin/libvirtd
    └ 1935 /sbin/dnsmasq --strict-order --bind-interfaces
--pid-file=/var/run/libvirt/network/default.pid --conf-file= --ex...

Feb 13 14:07:23 testvm libvirtd[1830]: 2012-02-13 14:07:23.694+0000: 1841:
error : virCommandWait:2308 : internal error Child proce...ebtables
Feb 13 14:07:23 testvm libvirtd[1830]: cmd='$EBT -t nat -L'
Feb 13 14:07:23 testvm libvirtd[1830]: eval res=\$\("${cmd} 2>&1"\)
Feb 13 14:07:23 testvm libvirtd[1830]: if [ $? -ne 0 ]; then  echo "Failure to
execute command '${cmd}' : '${res}'.";  exit 1;fi
Feb 13 14:07:23 testvm libvirtd[1830]: ) status unexpected: exit status 1
Feb 13 14:07:23 testvm libvirtd[1830]: 2012-02-13 14:07:23.773+0000: 1841:
error : virCommandWait:2308 : internal error Child proce...p6tables
Feb 13 14:07:23 testvm libvirtd[1830]: cmd='$IPT -n -L FORWARD'
Feb 13 14:07:23 testvm libvirtd[1830]: eval res=\$\("${cmd} 2>&1"\)
Feb 13 14:07:23 testvm libvirtd[1830]: if [ $? -ne 0 ]; then  echo "Failure to
execute command '${cmd}' : '${res}'.";  exit 1;fi
Feb 13 14:07:23 testvm libvirtd[1830]: ) status unexpected: exit status 1

in virt-manager window:
Unable to connect to libvirt:

authentication failed: Not authorized.

Could not detect a local session: if you are 
running virt-manager over ssh -X or VNC, you 
may not be able to connect to libvirt as a 
regular user. Try running as root.

Libvirt URI is: qemu:///system

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/connection.py", line 1185, in
_open_thread
    self.vmm = self._try_open()
  File "/usr/share/virt-manager/virtManager/connection.py", line 1167, in
_try_open
    flags)
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 102, in openAuth
    if ret is None:raise libvirtError('virConnectOpenAuth() failed')
libvirtError: authentication failed: Not authorized.

But it should let me in due to:

/var/lib/polkit-1/localauthority/50-local.d/virt-manager.pkl

 [Local virt-manager Permissions]
Identity=unix-user:frank
Action=org.libvirt.unix.*
ResultAny=no
ResultInactive=no
ResultActive=yes


Version-Release number of selected component (if applicable):
libvirt-client-0.9.10-0rc2.fc17.x86_64
libvirt-0.9.10-0rc2.fc17.x86_64
libvirt-python-0.9.10-0rc2.fc17.x86_64
virt-manager-0.9.1-1.fc17.1.noarch
virt-manager-common-0.9.1-1.fc17.1.noarch

--- Additional comment from crobinso on 2012-02-13 13:39:12 MST ---

Does virsh --connect qemu:///system as regular user work? Or is this specific to virt-manager?

Did that policykit configuration work on f16?

--- Additional comment from frankly3d on 2012-02-13 16:05:18 MST ---

(In reply to comment #1)
> Does virsh --connect qemu:///system as regular user work? Or is this specific
> to virt-manager?


frank@testvm ~$ virsh --connect qemu:///system
WARNING: gnome-keyring:: couldn't connect to: /tmp/keyring-D69WWU/pkcs11: No such file or directory
error: authentication failed: Not authorized.

error: failed to connect to the hypervisor


> 
> Did that policykit configuration work on f16?

yes.

Xfce Host but.
Gnome-Keyring, coolkey + deps are installed 


Will look further in the morning.

--- Additional comment from crobinso on 2012-02-13 16:46:47 MST ---

Moving to libvirt for now since it's not virt-manager specific

--- Additional comment from frankly3d on 2012-02-21 12:45:11 MST ---

Uncertain if this is complicit:
http://lists.fedoraproject.org/pipermail/test/2012-February/105736.html

--- Additional comment from eblake on 2012-02-21 13:33:34 MST ---

Could possibly be a case of needing to backport this:

commit fcdfa31f3cad32f41ef5e7933c58d986ab7fc6c9
Author: Jim Fehlig <jfehlig>
Date:   Wed Feb 15 10:01:50 2012 -0700

    Fix polkit0 authentication
    
    Commit 7033c5f2 introduced some bugs in polkit0 authentication.
    
    Fix libvirtd segfault in remoteDispatchAuthPolkit().
    
    Fix polkit authentication bypass when caller UID = 0.
Comment 1 Eric Blake 2012-02-21 22:43:17 UTC 
I'm not sure if only libvirt is at fault, or even if the reported problem would occur on RHEL or is just specific to Fedora rawhide, but it cannot hurt to backport the libvirt patches related to polkit authorization.
Comment 3 Eric Blake 2012-02-21 22:53:03 UTC 
In POST:
http://post-office.corp.redhat.com/archives/rhvirt-patches/2012-February/msg01033.html
Comment 4 Frank Murphy 2012-02-22 11:35:50 UTC 
(In reply to comment #3)
> In POST:
> http://post-office.corp.redhat.com/archives/rhvirt-patches/2012-February/msg01033.html

Hi Eric,
Should I follow progress at the above url?
Comment 5 Eric Blake 2012-02-22 13:04:52 UTC 
(In reply to comment #4)
> (In reply to comment #3)
> > In POST:
> > http://post-office.corp.redhat.com/archives/rhvirt-patches/2012-February/msg01033.html
> 
> Hi Eric,
> Should I follow progress at the above url?

That depends - are you interested in what gets built for RHEL 6.3 (that URL provides the patch for backporting the fix to RHEL), or are you interested in what gets built for rawhide (in which case, bug 790037 is the one to follow), or are you interested in building your own libvirt (in which case, libvirt.git has already been patched, and libvirt 0.9.11 will have the fix)?
Comment 6 yanbing du 2012-02-28 06:53:07 UTC 
With libvirt-0.9.10-0rc2.el6.x86_64, reproduce this problem.
Steps:
1. enable dbus.service
# /etc/rc.d/init.d/messagebus start
Starting system message bus:                               [  OK  ]
2. enable avahi-daemon.service
# /etc/init.d/avahi-daemon start
Starting Avahi daemon...                                   [  OK  ]
3. start libvirtd.service
# /etc/init.d/libvirtd start
Starting libvirtd daemon:                                  [  OK  ]
4. Switch to regular user and connect to libvirtd
$ virsh --connect qemu:///system
error: authentication failed: Authorization requires authentication but no
agent is available.

error: failed to connect to the hypervisor
Comment 9 yanbing du 2012-02-29 08:21:46 UTC 
Tested fail with libvirt-0.9.10-3.el6.x86_64.
Note, 
The test steps like comment 6 described.
If i run 'virt-manager' or 'virsh -c qemu:///system' as regular user locally, the Authenticate message box will popup and ask for root password, that works correctly. 
But if i run these commands over ssh -X as regular user, it still failed.
The libvirtd log as following:
# tail -f /var/log/libvirt/libvirtd.log
2012-02-29 07:59:37.412+0000: 2320: error : remoteDispatchAuthPolkit:2525 : Policy kit denied action org.libvirt.unix.manage from pid 3085, uid 500: exit status 2
2012-02-29 07:59:37.412+0000: 2320: error : remoteDispatchAuthPolkit:2554 : authentication failed: Authorization requires authentication but no agent is available.

2012-02-29 07:59:41.946+0000: 2318: error : virNetSocketReadWire:999 : End of file while reading data: Input/output error

Is there anything i missed to test this bug? please correct me, thanks!
Comment 10 Daniel Berrangé 2012-03-15 10:04:30 UTC 
PolicyKit is unable to prompt for any passwords if you're running from an SSH shell.  If you want that to work, you'd have to change the local policy to *not* ask for a password in this scenario.  Only if running from a desktop login session directly will it ask for passwords.
Comment 11 Eric Blake 2012-03-16 19:34:39 UTC 
I'm not sure the best way to test this, but the way I found that a patch needed backporting in the first place was by running libvirtd under valgrind, then using virt-manager to connect to libvirt.  Before the patch, there was a memory leak on stock 0.9.10 usage, pointing back to the polkit code.
Comment 14 yanbing du 2012-05-04 07:53:33 UTC 
(In reply to comment #13)
> (In reply to comment #12)
> > Hi,
> >   I'm trying to reproduce this bug(polkit authorization broken). But still
> > can't find the root problem.
> 
> > 
> > I'm not sure what the exact test/verify steps should be, so please correct me
> > if needed. Thanks!
> 
> See comment #11.  I also don't know how to demonstrate the real problem by use
> of polkit policy files.  I only know that I found the issue by using valgrind
> on a default installation, with no modification of polkit files, and verified
> that the patch was able to plug the leak reported by valgrind.

Then this bug can be verified. Both on libvirt-0.9.10-3.el6.x86_64 and libvirt-0.9.10-16.el6.x86_64.
With libvirt-0.9.10-1.el6.x86_64 
use valgrind to check libvirtd, result like:
==17288== LEAK SUMMARY:
==17288==    definitely lost: 738 bytes in 40 blocks
==17288==    indirectly lost: 0 bytes in 0 blocks
==17288==      possibly lost: 8,664 bytes in 50 blocks
==17288==    still reachable: 1,933,261 bytes in 19,248 blocks
==17288==         suppressed: 0 bytes in 0 blocks
==17288== Rerun with --leak-check=full to see details of leaked memory
==17288== 
==17288== For counts of detected and suppressed errors, rerun with: -v
==17288== Use --track-origins=yes to see where uninitialised values come from
==17288== ERROR SUMMARY: 85 errors from 15 contexts (suppressed: 32 from 9)
After upgrade libvirt, result like:
==19445== LEAK SUMMARY:
==19445==    definitely lost: 0 bytes in 0 blocks
==19445==    indirectly lost: 0 bytes in 0 blocks
==19445==      possibly lost: 0 bytes in 0 blocks
==19445==    still reachable: 126,299 bytes in 1,346 blocks
==19445==         suppressed: 0 bytes in 0 blocks
==19445== Rerun with --leak-check=full to see details of leaked memory
==19445==
==19445== For counts of detected and suppressed errors, rerun with: -v
==19445== Use --track-origins=yes to see where uninitialised values come from
==19445== ERROR SUMMARY: 45 errors from 10 contexts (suppressed: 8 from 6)
Comment 16 errata-xmlrpc 2012-06-20 06:48:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0748.html