Re: [Libguestfs] [libvirt] Proposed libguestfs API for implementing libvirt virConnectOpenAuth
On Mon, Oct 15, 2012 at 11:23:04AM -0400, Cole Robinson wrote:
On 10/15/2012 04:01 AM, Richard W.M. Jones wrote:
>
> From 9eea45e80ad80283f1a89f792bcf0c174818f4a2 Mon Sep 17 00:00:00 2001
> From: "Richard W.M. Jones" <rjones(a)redhat.com>
> Date: Mon, 15 Oct 2012 09:01:13 +0100
> Subject: [PATCH] daemon: Make the default PolicyKit policy auth_admin_keep.
>
> ---
> daemon/libvirtd.policy.in | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/daemon/libvirtd.policy.in b/daemon/libvirtd.policy.in
> index 000c17e..df42e5f 100644
> --- a/daemon/libvirtd.policy.in
> +++ b/daemon/libvirtd.policy.in
> @@ -31,8 +31,8 @@ version 2. See COPYING for details.
> <defaults>
> <!-- Any program can use libvirt in read/write mode if they
> provide the root password -->
> - <allow_any>auth_admin</allow_any>
> - <allow_inactive>auth_admin</allow_inactive>
> + <allow_any>@authaction@</allow_any>
> + <allow_inactive>@authaction@</allow_inactive>
> <allow_active>@authaction@</allow_active>
> </defaults>
> </action>
ACK
While this patch does what Rich intends it todo, I'm a little wary of
changing this, since this is a security relevant setting. Looking at
the rules on my F17 box, there is a fair mix of different triples
used by apps. Some have (no, no, auth_admin_keep), some have
(auth_admin, auth_amdin., auth_admin_keep) and others have
(auth_admin_keep, auth_admin_keep, auth_admin_keep). The actions that
give broader / more serious access seem to have a slight bias against
using the _keep variant for any/inactive.
I don't have a good answer here, but I think we should seek guidance
on this before changing our defaults.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|