https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c13
--- Comment #13 from Justin Clift 2010-09-14 08:31:26 UTC ---
The "set_polkit_default_privs" script (attached), refers to some other
PolicyKit related pieces on the filesystem:
/etc/sysconfig/security
(attached)
/etc/polkit-default-privs.d/
(doesn't exist)
/etc/polkit-default-privs.standard
(attached) <-- this one is used by default
/etc/polkit-default-privs.restrictive
(attached) <-- this one is unused unless set in the /etc/sysconfig/security
file
Grepping the /etc/polkit-default-privs.standard file for occurances of
"libvirt", gives this:
org.libvirt.unix.monitor yes
org.libvirt.unix.manage
auth_admin_keep_always
It looks like the concept used for the openSUSE implementation is to allow
management access to any user regarded as an admin by PolicyKit.
Investigating that, OpenSUSE ships with the same default local authority file
as other distributions:
/etc/polkit-1/localauthority.conf.d/50-localauthority.conf
With the same contents as elsewhere:
# Configuration file for the PolicyKit Local Authority.
#
# DO NOT EDIT THIS FILE, it will be overwritten on update.
#
# See the pklocalauthority(8) man page for more information
# about configuring the Local Authority.
#
[Configuration]
AdminIdentities=unix-user:0
This gives only root access by default (it seems).
*************
Looking at the text of the openSUSE local configuration file,
polkit-default-privs.local:
#
# /etc/polkit-default-privs.local
#
# This file is used by set_polkit_default_privs to check or set
# the implicit default privileges granted by PolicyKit
#
# In particular, this file will not be touched during an upgrade of the
# installation. It is designed to be a placeholder for local
# additions by the administrator of the system.
#
# Note that you need to run /sbin/set_polkit_default_privs for
# changes to take effect.
#
# Format:
# <privilege> <any>:<inactive>:<active>
#
It seems like this is the intended place for PolicyKit config changes in
openSUSE's implementation, rather than placing files in the /etc/polkit-1/
directory structure.
Conceptually, I'm not sure how to leverage this approach to achieve things like
"group access" and similar for libvirt.
openSUSE ships with this file by default:
/var/lib/polkit-1/localauthority/10-vendor.d/org.libvirt.unix.manage.pkla
Containing:
[org.libvirt.unix.manage]
Identity=unix-user:*
Action=org.libvirt.unix.manage
ResultAny=auth_admin_keep
ResultInactive=auth_admin_keep
ResultActive=auth_admin_keep
This seems to be (from my point of view at the moment), causing the problem.
*Removing* this file allows the more familiar .pkla file approach documented
for RHEL 6/Fedora 12+ as working.
i.e. Adding
/etc/polkit-1/localauthority/50-local.d/50-org.example-libvirt-remote-access.pkla
with contents:
[libvirt Management Access]
Identity=unix-group:libvirt
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
Then creating the unix group "libvirt". Any users added to this group gain the
ability to manage libvirt (tested and verified through ssh on openSUSE 11.3).
This approach doesn't seem to be in line with how openSUSE intends things to be
configured though, so I'm reluctant to recommend this as the official libvirt
recommendation of "how to do things on openSUSE".
All pointers, suggestions for improvement, thoughts, etc, welcome. :)
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.