Bug 957300
Summary: | Add polkit rules allowing users in a specific unix group to not require password | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | William Brown <william> |
Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 21 | CC: | berrange, clalancette, crobinso, gustavold, itamar, jforbes, jv+fedora, kparal, laine, lersek, libvirt-maint, mitr, mleitner, pahan, rharwood, sergio.pasra, veillard, virt-maint |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | libvirt-1.2.9.3-2.fc21 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-06-23 09:10:35 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
William Brown
2013-04-27 00:30:20 UTC
Honestly I'd be happy with this too. Many many people install custom polkit rules to do effectively the same thing, but as a one off for their username of choice. My understanding is that Ubuntu does (or did at one time) do something similar with a 'kvm' group. I've floated the idea upstream: https://www.redhat.com/archives/libvir-list/2013-June/msg00503.html Allowing members of the 'qemu' group to access libvirt without a password would be a huge security whole. The 'qemu' group is running the QEMU/KVM processes for each VM. So such a polkit rule would allow a compromised QEMU process to access libvirt & thus compromise the entire host. I'm more interested in the general idea, the group could be named 'foobar' for all it matters. Perhaps the group could be called virtadm then? Similar to the "adm" admin group. Should probably just use 'libvirt' as a group name. Still relevant on F20 Any movement on this? Hi William, since you're the person with the most stake in this question, you should reopen discussion Cole started upstream on libvir-list and drive it to a conclusion. I can't predict how the community will react, but from the comments above and the response to Cole's mail, it sounds like the qemu group is not acceptable, but the libvirt group might be. Just my $.02. +1 on this one, as I've doing similar setup myself on my hosts for the same reasons. Clearing needinfo. I think this idea would be accepted but someone needs to submit a patch or start a discussion on libvir-list. I might get to it for F22 cycle but no guarantees I sent a patch upstream for this, using the group 'libvirt' : https://www.redhat.com/archives/libvir-list/2015-April/msg01484.html Upstream now: commit e94979e901517af9fdde358d7b7c92cc055dd50c Author: Cole Robinson <crobinso> Date: Tue Apr 28 17:38:00 2015 -0400 polkit: Allow password-less access for 'libvirt' group Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal. Let's finally add official support for this. Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirt' group. Create the group on RPM install https://bugzilla.redhat.com/show_bug.cgi?id=957300 Thank you for getting back to this and making it happen! Much appreciated. libvirt-1.2.9.3-2.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/libvirt-1.2.9.3-2.fc21 Package libvirt-1.2.9.3-2.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing libvirt-1.2.9.3-2.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-9594/libvirt-1.2.9.3-2.fc21 then log in and leave karma (feedback). This is great. Works. Thanks, folks. libvirt-1.2.9.3-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. Found out about this BZ via <http://blog.wikichoon.com/2016/01/polkit-password-less-access-for-libvirt.html> (federated on planet.virt-tools.org). I just checked, and this feature also made RHEL-7.2, through bug 1194593 (rebase to then-current upstream libvirt, 1.2.16, then to 1.2.17). Awesome, thanks a lot Cole! |