Bug 795978 - polkit authorization broken in libvirt 0.9.10
polkit authorization broken in libvirt 0.9.10
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt (Show other bugs)
6.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Eric Blake
Virtualization Bugs
:
Depends On: 790037
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-21 17:41 EST by Eric Blake
Modified: 2012-06-20 02:48 EDT (History)
21 users (show)

See Also:
Fixed In Version: libvirt-0.9.10-3.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 790037
Environment:
Last Closed: 2012-06-20 02:48:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eric Blake 2012-02-21 17:41:51 EST
cloning from fedora to rhel

+++ This bug was initially created as a clone of Bug #790037 +++

Description of problem:

1: enable dbus.service
2. enable avahi-daemon.service
3. start libvirtd.service

on command line:

systemctl status libvirtd.service
libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled)
   Active: active (running) since Mon, 13 Feb 2012 14:07:21 +0000; 18s ago
 Main PID: 1830 (libvirtd)
   CGroup: name=systemd:/system/libvirtd.service
    ├ 1830 /usr/sbin/libvirtd
    └ 1935 /sbin/dnsmasq --strict-order --bind-interfaces
--pid-file=/var/run/libvirt/network/default.pid --conf-file= --ex...

Feb 13 14:07:23 testvm libvirtd[1830]: 2012-02-13 14:07:23.694+0000: 1841:
error : virCommandWait:2308 : internal error Child proce...ebtables
Feb 13 14:07:23 testvm libvirtd[1830]: cmd='$EBT -t nat -L'
Feb 13 14:07:23 testvm libvirtd[1830]: eval res=\$\("${cmd} 2>&1"\)
Feb 13 14:07:23 testvm libvirtd[1830]: if [ $? -ne 0 ]; then  echo "Failure to
execute command '${cmd}' : '${res}'.";  exit 1;fi
Feb 13 14:07:23 testvm libvirtd[1830]: ) status unexpected: exit status 1
Feb 13 14:07:23 testvm libvirtd[1830]: 2012-02-13 14:07:23.773+0000: 1841:
error : virCommandWait:2308 : internal error Child proce...p6tables
Feb 13 14:07:23 testvm libvirtd[1830]: cmd='$IPT -n -L FORWARD'
Feb 13 14:07:23 testvm libvirtd[1830]: eval res=\$\("${cmd} 2>&1"\)
Feb 13 14:07:23 testvm libvirtd[1830]: if [ $? -ne 0 ]; then  echo "Failure to
execute command '${cmd}' : '${res}'.";  exit 1;fi
Feb 13 14:07:23 testvm libvirtd[1830]: ) status unexpected: exit status 1

in virt-manager window:
Unable to connect to libvirt:

authentication failed: Not authorized.

Could not detect a local session: if you are 
running virt-manager over ssh -X or VNC, you 
may not be able to connect to libvirt as a 
regular user. Try running as root.

Libvirt URI is: qemu:///system

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/connection.py", line 1185, in
_open_thread
    self.vmm = self._try_open()
  File "/usr/share/virt-manager/virtManager/connection.py", line 1167, in
_try_open
    flags)
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 102, in openAuth
    if ret is None:raise libvirtError('virConnectOpenAuth() failed')
libvirtError: authentication failed: Not authorized.

But it should let me in due to:

/var/lib/polkit-1/localauthority/50-local.d/virt-manager.pkl

 [Local virt-manager Permissions]
Identity=unix-user:frank
Action=org.libvirt.unix.*
ResultAny=no
ResultInactive=no
ResultActive=yes


Version-Release number of selected component (if applicable):
libvirt-client-0.9.10-0rc2.fc17.x86_64
libvirt-0.9.10-0rc2.fc17.x86_64
libvirt-python-0.9.10-0rc2.fc17.x86_64
virt-manager-0.9.1-1.fc17.1.noarch
virt-manager-common-0.9.1-1.fc17.1.noarch

--- Additional comment from crobinso@redhat.com on 2012-02-13 13:39:12 MST ---

Does virsh --connect qemu:///system as regular user work? Or is this specific to virt-manager?

Did that policykit configuration work on f16?

--- Additional comment from frankly3d@gmail.com on 2012-02-13 16:05:18 MST ---

(In reply to comment #1)
> Does virsh --connect qemu:///system as regular user work? Or is this specific
> to virt-manager?


frank@testvm ~$ virsh --connect qemu:///system
WARNING: gnome-keyring:: couldn't connect to: /tmp/keyring-D69WWU/pkcs11: No such file or directory
error: authentication failed: Not authorized.

error: failed to connect to the hypervisor


> 
> Did that policykit configuration work on f16?

yes.

Xfce Host but.
Gnome-Keyring, coolkey + deps are installed 


Will look further in the morning.

--- Additional comment from crobinso@redhat.com on 2012-02-13 16:46:47 MST ---

Moving to libvirt for now since it's not virt-manager specific

--- Additional comment from frankly3d@gmail.com on 2012-02-21 12:45:11 MST ---

Uncertain if this is complicit:
http://lists.fedoraproject.org/pipermail/test/2012-February/105736.html

--- Additional comment from eblake@redhat.com on 2012-02-21 13:33:34 MST ---

Could possibly be a case of needing to backport this:

commit fcdfa31f3cad32f41ef5e7933c58d986ab7fc6c9
Author: Jim Fehlig <jfehlig@suse.com>
Date:   Wed Feb 15 10:01:50 2012 -0700

    Fix polkit0 authentication
    
    Commit 7033c5f2 introduced some bugs in polkit0 authentication.
    
    Fix libvirtd segfault in remoteDispatchAuthPolkit().
    
    Fix polkit authentication bypass when caller UID = 0.
Comment 1 Eric Blake 2012-02-21 17:43:17 EST
I'm not sure if only libvirt is at fault, or even if the reported problem would occur on RHEL or is just specific to Fedora rawhide, but it cannot hurt to backport the libvirt patches related to polkit authorization.
Comment 4 Frank Murphy 2012-02-22 06:35:50 EST
(In reply to comment #3)
> In POST:
> http://post-office.corp.redhat.com/archives/rhvirt-patches/2012-February/msg01033.html

Hi Eric,
Should I follow progress at the above url?
Comment 5 Eric Blake 2012-02-22 08:04:52 EST
(In reply to comment #4)
> (In reply to comment #3)
> > In POST:
> > http://post-office.corp.redhat.com/archives/rhvirt-patches/2012-February/msg01033.html
> 
> Hi Eric,
> Should I follow progress at the above url?

That depends - are you interested in what gets built for RHEL 6.3 (that URL provides the patch for backporting the fix to RHEL), or are you interested in what gets built for rawhide (in which case, bug 790037 is the one to follow), or are you interested in building your own libvirt (in which case, libvirt.git has already been patched, and libvirt 0.9.11 will have the fix)?
Comment 6 yanbing du 2012-02-28 01:53:07 EST
With libvirt-0.9.10-0rc2.el6.x86_64, reproduce this problem.
Steps:
1. enable dbus.service
# /etc/rc.d/init.d/messagebus start
Starting system message bus:                               [  OK  ]
2. enable avahi-daemon.service
# /etc/init.d/avahi-daemon start
Starting Avahi daemon...                                   [  OK  ]
3. start libvirtd.service
# /etc/init.d/libvirtd start
Starting libvirtd daemon:                                  [  OK  ]
4. Switch to regular user and connect to libvirtd
$ virsh --connect qemu:///system
error: authentication failed: Authorization requires authentication but no
agent is available.

error: failed to connect to the hypervisor
Comment 9 yanbing du 2012-02-29 03:21:46 EST
Tested fail with libvirt-0.9.10-3.el6.x86_64.
Note, 
The test steps like comment 6 described.
If i run 'virt-manager' or 'virsh -c qemu:///system' as regular user locally, the Authenticate message box will popup and ask for root password, that works correctly. 
But if i run these commands over ssh -X as regular user, it still failed.
The libvirtd log as following:
# tail -f /var/log/libvirt/libvirtd.log
2012-02-29 07:59:37.412+0000: 2320: error : remoteDispatchAuthPolkit:2525 : Policy kit denied action org.libvirt.unix.manage from pid 3085, uid 500: exit status 2
2012-02-29 07:59:37.412+0000: 2320: error : remoteDispatchAuthPolkit:2554 : authentication failed: Authorization requires authentication but no agent is available.

2012-02-29 07:59:41.946+0000: 2318: error : virNetSocketReadWire:999 : End of file while reading data: Input/output error

Is there anything i missed to test this bug? please correct me, thanks!
Comment 10 Daniel Berrange 2012-03-15 06:04:30 EDT
PolicyKit is unable to prompt for any passwords if you're running from an SSH shell.  If you want that to work, you'd have to change the local policy to *not* ask for a password in this scenario.  Only if running from a desktop login session directly will it ask for passwords.
Comment 11 Eric Blake 2012-03-16 15:34:39 EDT
I'm not sure the best way to test this, but the way I found that a patch needed backporting in the first place was by running libvirtd under valgrind, then using virt-manager to connect to libvirt.  Before the patch, there was a memory leak on stock 0.9.10 usage, pointing back to the polkit code.
Comment 14 yanbing du 2012-05-04 03:53:33 EDT
(In reply to comment #13)
> (In reply to comment #12)
> > Hi,
> >   I'm trying to reproduce this bug(polkit authorization broken). But still
> > can't find the root problem.
> 
> > 
> > I'm not sure what the exact test/verify steps should be, so please correct me
> > if needed. Thanks!
> 
> See comment #11.  I also don't know how to demonstrate the real problem by use
> of polkit policy files.  I only know that I found the issue by using valgrind
> on a default installation, with no modification of polkit files, and verified
> that the patch was able to plug the leak reported by valgrind.

Then this bug can be verified. Both on libvirt-0.9.10-3.el6.x86_64 and libvirt-0.9.10-16.el6.x86_64.
With libvirt-0.9.10-1.el6.x86_64 
use valgrind to check libvirtd, result like:
==17288== LEAK SUMMARY:
==17288==    definitely lost: 738 bytes in 40 blocks
==17288==    indirectly lost: 0 bytes in 0 blocks
==17288==      possibly lost: 8,664 bytes in 50 blocks
==17288==    still reachable: 1,933,261 bytes in 19,248 blocks
==17288==         suppressed: 0 bytes in 0 blocks
==17288== Rerun with --leak-check=full to see details of leaked memory
==17288== 
==17288== For counts of detected and suppressed errors, rerun with: -v
==17288== Use --track-origins=yes to see where uninitialised values come from
==17288== ERROR SUMMARY: 85 errors from 15 contexts (suppressed: 32 from 9)
After upgrade libvirt, result like:
==19445== LEAK SUMMARY:
==19445==    definitely lost: 0 bytes in 0 blocks
==19445==    indirectly lost: 0 bytes in 0 blocks
==19445==      possibly lost: 0 bytes in 0 blocks
==19445==    still reachable: 126,299 bytes in 1,346 blocks
==19445==         suppressed: 0 bytes in 0 blocks
==19445== Rerun with --leak-check=full to see details of leaked memory
==19445==
==19445== For counts of detected and suppressed errors, rerun with: -v
==19445== Use --track-origins=yes to see where uninitialised values come from
==19445== ERROR SUMMARY: 45 errors from 10 contexts (suppressed: 8 from 6)
Comment 16 errata-xmlrpc 2012-06-20 02:48:56 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0748.html

Note You need to log in before you can comment on or make changes to this bug.