Hi Peter! On Fri, 5 Dec 2025, at 14:40, Peter Krempa wrote: >> Therefore, I'd like to give users more limited permissions - but I'm a >> bit lost about the best way to approach that. It seems that I could: >> >> - tighten (or relax) socket permissions in the systemd config >> >> - switch off socket activation and configure socket permissions in >> libvirtd.conf >> >> - Configure socket-dependent permissions in libvirt > > None of this will help unless you trust the user. Whoever is able to > define a full XML is effectively root.
I was thinking that perhaps there is a socket that I can configure in such a way that it doesn't allow defining the XML? (I thought that the -ro.socket might do something like this) Best, -Nikolaus
