Hi. On Fri, 7 Nov 2014 21:17:34 +0100 Guido Günther <a...@sigxcpu.org> wrote:
> Thanks for the path but we have this in libvirt-daemon-system.NEWS > already - and that's the package that depends on systemd. We rather > need an update to README.Debian of libvirt-daemon-system explaining > how to _exactly_ configure socket based security. Misunderstood you. Here's the patch, but I'm lost here somewhat - README.Debian is provided by libvirt-bin package only, which is marked as a transitional one. Should I rename README.Debian to libvirt-daemon-system.README? Or should I do it old-fashioned way by appending README.Debian to libvirt-daemon-system.examples? I don't *that* familiar with these new dh_ tricks :( And, a usual thing - hereby transferring an authorship of this patch and all appropriate rights to the Debian Libvirt Maintainers. Reco
diff --git a/debian/README.Debian b/debian/README.Debian index ffa7917..7f291a9 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -53,13 +53,33 @@ can handle the virtual bridges. Access Control ============== -Access to the libvirt managing tasks is controlled by PolicyKit. To ease -configuration membership in the "libvirt" group is sufficient. If you want to -manage VMs as non-root you need to add a user to that group. +Remove access to the libvirtd is disabled by default. +Local access to the libvirt managing tasks is controlled by PolicyKit by +default. +To ease configuration membership in the "libvirt" group is sufficient. If you +want to manage VMs as non-root you need to add a user to that group. -Note that this will allow users in this group to use all of libvirt's -API including modifying files on the host. For finer grained access -control have a look at libvirt's ACLs. +Disabling PolicyKit management requires the following modifications of +/etc/libvirt/libvirtd.conf: + +1) Explicitly setting auth_unix_ro and auth_unix_rw to "none". + +2) Uncommenting unix_sock_ro_perms and unix_sock_rw_perms. Recommended values +are "0770", default values should suffice though. + +3) Explicitly setting unix_sock_group to "libvirt". + +The changes made in /etc/libvirt/libvirtd.conf should be mirrored in +libvirtd.socket (a "must do" action if using systemd): + +1) Copy /lib/systemd/system/libvirtd.socket to /etc/systemd/system. + +2) Edit SocketMode, SocketUser and SocketGroup values to match libvirtd.conf +changes. + +Given such customizations (or using Policykit) "libvirt" membership will allow +users to use all of libvirt's API including modifying files on the host. For +finer grained access control have a look at libvirt's ACLs (requires PolicyKit). System QEMU/KVM processes are run as user and group libvirt-qemu. This can be adjusted via /etc/libvirt/qemu.conf.
