Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 291008 - app-emulation/libvirt-0.7.2 only ask for root password
Summary: app-emulation/libvirt-0.7.2 only ask for root password
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Virtualization Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-29 13:22 UTC by Albert W. Hopkins
Modified: 2010-01-27 12:12 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
emerge --info (emerge--info.txt,3.76 KB, text/plain)
2009-10-29 13:22 UTC, Albert W. Hopkins 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Albert W. Hopkins 2009-10-29 13:22:17 UTC 
I upgraded libvirt from 0.6.5-r1.  In the previous version, I would be asked for my non-root username/password whenever I used virt-manager.  However with 0.7.2 I am always asked the root password, not my user password.

I looked around and did notice that in the previous version there was a .policy file in /usr/share/PolicyKit/policy that the newer version does not install, but I'm not certain if that's the issue or not.

I've tried messing with the libvirtd.conf file to force it to use polkit but have not been successful.  I'm using virt-manager 0.8.0.

If I downgrade libvirt then I get the expected behavior.

$ equery u libvirt |cat
+avahi
-caps
+hal
-iscsi
+kvm
-libvirtd
-lvm
-lxc
-network
-nfs
+nls
-numa
-one
-openvz
-parted
-phyp
+policykit
+python
-qemu
-sasl
-selinux
-uml
-virtualbox
-xen
Comment 1 Albert W. Hopkins 2009-10-29 13:22:42 UTC 
Created attachment 208631 [details]
emerge --info
Comment 2 Lance Albertson (RETIRED) gentoo-dev 2009-12-23 06:40:34 UTC 
(In reply to comment #0)
> I upgraded libvirt from 0.6.5-r1.  In the previous version, I would be asked
> for my non-root username/password whenever I used virt-manager.  However with
> 0.7.2 I am always asked the root password, not my user password.
> 
> I looked around and did notice that in the previous version there was a .policy
> file in /usr/share/PolicyKit/policy that the newer version does not install,
> but I'm not certain if that's the issue or not.

Can you verify you still have the problem with 0.7.4-r2 as well? I want to make sure before I go digging around to see what might be causing that.

Thanks-
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-12-23 17:10:16 UTC 
Please confirm if the same happens to 0.7.5.
Comment 4 Albert W. Hopkins 2009-12-23 21:20:28 UTC 
(In reply to comment #3)
> Please confirm if the same happens to 0.7.5.
> 

Hi, well 0.7.5 is not in the tree, but copied over the latest ebuild and that worked.

I get the same error, however. 

In addition i tried this

$ polkit-auth --obtain org.libvirt.unix.manage --show-obtainable
Attempting to obtain authorization for org.libvirt.unix.manage.
polkit-grant-helper: given auth type (1 -> no) is bogus
Failed to obtain authorization for org.libvirt.unix.manage.
Attempting to obtain authorization for org.libvirt.unix.manage.
polkit-grant-helper: given auth type (1 -> no) is bogus
Failed to obtain authorization for org.libvirt.unix.manage.

As my user.  I also tried it as root and got the same error.  Then as root I tried:

polkit-auth --user <user> --grant org.libvirt.unix.manage

The org.libvirt.unix.manage is the "action string" that is displayed in the password dialog for virt-manager.  The command gave no error message, however when I tried to run virt-manager again as <user> it still prompts for the root password.  In addition:

$ polkit-auth --obtain org.libvirt.unix.manage --show-obtainable
Attempting to obtain authorization for org.libvirt.unix.manage.
polkit-grant-helper: given auth type (8 -> yes) is bogus
Failed to obtain authorization for org.libvirt.unix.manage.
Attempting to obtain authorization for org.libvirt.unix.manage.
polkit-grant-helper: given auth type (8 -> yes) is bogus
Failed to obtain authorization for org.libvirt.unix.manage.

Pretty much the same message, but note the 1's got changed to 8's after I did the --grant.  So it did do something, but still not working.

Also the org.libvirt.unix.manage does not show up anywhere in the polkit-gnome-authorization gui which leads me to believe that libvirt isn't installing the correct policy files(?).  But i really don't know enough about polkit to be certain.
Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-12-23 21:30:46 UTC 
0.7.5 _is_ in tree or I wouldn't have asked to test it.

@gnome team since I don't have a clue about polkit can you look into it? Thanks.
Comment 6 Mike Auty (RETIRED) gentoo-dev 2010-01-27 12:12:37 UTC 
Libvirt-0.7.5's default policy for allowing read/write management of a virtual machine is to require root permission.  This can be seen in /usr/share/polkit-1/actions/org.libvirt.unix.policy, where allow_active is set to auth_admin_keep, which requires someone to log in as admin and maintains the authorization for a short time.

As such libvirt's working exactly as it's supposed to when it asks you to authenticate yourself using root's credentials.  If you want to change the policy, that's a polkit configuration issue and not a bug, and would be best directed at the user forums, which you can find at http://forums.gentoo.org/.

Please also note that polkit-gnome-authorizations only shows policies from policykit not polkit (despite the name), and since libvirt uses the new polkit framework, it will not show up in the authorizations tool.  Also, the authorizations tool has no counterpart in the more recent polkit framework, so you will have to use the command line tools to alter your policy settings.  There is a bug open about libvirt depending on policykit when it in fact requires polkit, which you can find at bug 302443.

I'm going to mark this as WORKSFORME, since it works the way it's supposed to for me.