On Fri, 7 Nov 2014 08:46:42 +0100 Guido Günther <a...@sigxcpu.org> wrote:
> Having polkit installed and doing nothing (for people switching to > socke based permission checks) is IMHO a better service to our users > than having all the bugs for people installing without recommends (and > there are many of those). Disabling polkit requires a bit of detailed > knowledge to not introduce security holes e.g. via the socket > activation file. I agree that libvirtd insists on using 'polkit' authentication by default. I disagree that there's special knowledge required for disabling 'polkit' correctly it as all that's really required is to uncomment unix_sock_group, unix_sock_ro_perms and unix_sock_rw_perms in libvirtd.conf (which has sane defaults for these), and to change auth_unix_ro and auth_unix_rw to none. And in absence of running policykit-1 libvirt simply does not allow anyone other than root using its sockets (which is the most secure default setting IMO). > I'll leave this open to hear about other opinions but I don't see any > drawbacks on depending on polkit by default. Introducing yet another privilege escalation mechanism on unsuspecting servers is a drawback in my book. Especially if said mechanism has less-than-stellar security record. At least, please update NEWS.Debian (or README.Debian) for libvirt with explanation of libvirt's usage of policykit-1. Reco -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
