On Thu, Nov 29, 2007 at 05:18:41PM +0000, Daniel P. Berrange wrote: > This patch adds support for an PolicyKit authentication mechanism. This > was previously described here: > > http://www.redhat.com/archives/libvir-list/2007-September/msg00168.html > > If PolicyKit is compiled in, then the UNIX domain sockets have their > default settings changed to make sure of PolicyKit. Thus, when PolicyKit > is enabled, both the RO & RW sockets are mode 0777. PolicyKit is then > called upon client connect to decide whether to allow the client to gain > access. > > The policyfile is shipped in /usr/share/PolicyKit/policy and has default > settings to mimic current non-PolicyKit access. If making a read-only > connection, any application will be granted access by default. If making > a read-write connection, applications will need to authenticate against > policykit by providing the user's own password. This is akin to 'sudo' > style auth. The credentials persist until the user logs out. > > The file in /etc/PolicyKit/PolicyKit.conf can be used by the local sysadmin > to override the default policy on a per-host basis. eg, they could restrict > access to the read-only connections, or open up the read-write connections > to more apps. See 'man PolicyKit.conf' for more info. > > The configure script will check for PolicyKit using pkg-config and only > enable it if actually present. So any OS without PolicyKit will not be > impacted by this patch. > > b/qemud/libvirtd.policy | 42 +++++++++++ > configure.in | 25 ++++++ > libvirt.spec.in | 3 > qemud/Makefile.am | 11 ++ > qemud/internal.h | 7 + > qemud/libvirtd.conf | 18 +++- > qemud/qemud.c | 37 +++++++++ > qemud/remote.c | 135 > +++++++++++++++++++++++++++++++++++- > qemud/remote_dispatch_localvars.h | 1 > qemud/remote_dispatch_proc_switch.h | 6 + > qemud/remote_dispatch_prototypes.h | 1 > qemud/remote_protocol.c | 9 ++ > qemud/remote_protocol.h | 9 ++ > qemud/remote_protocol.x | 10 ++ > src/remote_internal.c | 35 +++++++++ > 15 files changed, 340 insertions(+), 9 deletions(-)
If anyone has objections / comments wrt to this patch please say so now otherwise I'll commit it in an hour or so. Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=| -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
