From patchwork Thu Apr 14 19:41:22 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cole Robinson X-Patchwork-Id: 65845 Delivered-To: patch@linaro.org Received: by 10.140.93.198 with SMTP id d64csp791187qge; Thu, 14 Apr 2016 12:44:19 -0700 (PDT) X-Received: by 10.140.236.72 with SMTP id h69mr21126408qhc.92.1460663059315; Thu, 14 Apr 2016 12:44:19 -0700 (PDT) Return-Path: Received: from mx6-phx2.redhat.com (mx6-phx2.redhat.com. [209.132.183.39]) by mx.google.com with ESMTPS id v65si9186723qka.89.2016.04.14.12.44.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Apr 2016 12:44:19 -0700 (PDT) Received-SPF: pass (google.com: domain of libvir-list-bounces@redhat.com designates 209.132.183.39 as permitted sender) client-ip=209.132.183.39; Authentication-Results: mx.google.com; spf=pass (google.com: domain of libvir-list-bounces@redhat.com designates 209.132.183.39 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx6-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u3EJfRt3003863; Thu, 14 Apr 2016 15:41:29 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id u3EJfPBh020130 for ; Thu, 14 Apr 2016 15:41:25 -0400 Received: from colepc.redhat.com (ovpn-113-40.phx2.redhat.com [10.3.113.40]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u3EJfPEC006616; Thu, 14 Apr 2016 15:41:25 -0400 From: Cole Robinson To: libvirt-list@redhat.com Date: Thu, 14 Apr 2016 15:41:22 -0400 Message-Id: <1eada2fac71a7ed9f751ce6b779a46d1e3972955.1460662877.git.crobinso@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH] remote: Don't reject remote polkit if client lacks support X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com If you compile a client --without-polkit, and connect to a URI that needs polkit auth, the connection will fail with: $ ./tools/virsh --connect qemu+ssh://crobinso@machine/system error: failed to connect to the hypervisor error: authentication failed: unsupported authentication type 2 This is because the client side portion of the polkit handling is compiled out. However, nothing polkit specific is actually required of the client. Fix that error by unconditionally compiling the basic polkit client handling. https://bugzilla.redhat.com/show_bug.cgi?id=635529 --- Granted, if polkit needs to do any interaction at all, and you are connecting to a remote machine, then things are going to fail anyways with a 'missing agent' error. But if you're user is in the 'libvirt' group polkit doesn't need to auth it should all work. src/remote/remote_driver.c | 69 +++++++++++++++++++++------------------------- 1 file changed, 31 insertions(+), 38 deletions(-) -- 2.7.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index da94411..6bed2c5 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -132,11 +132,9 @@ static int remoteAuthenticate(virConnectPtr conn, struct private_data *priv, #if WITH_SASL static int remoteAuthSASL(virConnectPtr conn, struct private_data *priv, virConnectAuthPtr auth, const char *mech); -#endif -#if WITH_POLKIT +#endif /* WITH_SASL */ static int remoteAuthPolkit(virConnectPtr conn, struct private_data *priv, virConnectAuthPtr auth); -#endif /* WITH_POLKIT */ static virDomainPtr get_nonnull_domain(virConnectPtr conn, remote_nonnull_domain domain); static virNetworkPtr get_nonnull_network(virConnectPtr conn, remote_nonnull_network network); @@ -3326,14 +3324,12 @@ remoteAuthenticate(virConnectPtr conn, struct private_data *priv, } #endif -#if WITH_POLKIT case REMOTE_AUTH_POLKIT: if (remoteAuthPolkit(conn, priv, auth) < 0) { VIR_FREE(ret.types.types_val); return -1; } break; -#endif case REMOTE_AUTH_NONE: /* Nothing todo, hurrah ! */ @@ -3904,30 +3900,10 @@ remoteAuthSASL(virConnectPtr conn, struct private_data *priv, #endif /* WITH_SASL */ -#if WITH_POLKIT -# if WITH_POLKIT1 -static int -remoteAuthPolkit(virConnectPtr conn, struct private_data *priv, - virConnectAuthPtr auth ATTRIBUTE_UNUSED) -{ - remote_auth_polkit_ret ret; - VIR_DEBUG("Client initialize PolicyKit-1 authentication"); - - memset(&ret, 0, sizeof(ret)); - if (call(conn, priv, 0, REMOTE_PROC_AUTH_POLKIT, - (xdrproc_t) xdr_void, (char *)NULL, - (xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) != 0) { - return -1; /* virError already set by call */ - } - - VIR_DEBUG("PolicyKit-1 authentication complete"); - return 0; -} -# elif WITH_POLKIT0 -/* Perform the PolicyKit authentication process - */ +#if WITH_POLKIT0 +/* Perform the PolicyKit0 authentication process */ static int -remoteAuthPolkit(virConnectPtr conn, struct private_data *priv, +remoteAuthPolkit0(virConnectPtr conn, struct private_data *priv, virConnectAuthPtr auth) { remote_auth_polkit_ret ret; @@ -3943,14 +3919,8 @@ remoteAuthPolkit(virConnectPtr conn, struct private_data *priv, }; VIR_DEBUG("Client initialize PolicyKit-0 authentication"); - /* Check auth first and if it succeeds we are done. */ - memset(&ret, 0, sizeof(ret)); - if (call(conn, priv, 0, REMOTE_PROC_AUTH_POLKIT, - (xdrproc_t) xdr_void, (char *)NULL, - (xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) == 0) - goto out; - - /* Auth failed. Ask client to obtain it and check again. */ + /* We only make it here if auth already failed + * Ask client to obtain it and check again. */ if (auth && auth->cb) { /* Check if the necessary credential type for PolicyKit is supported */ for (i = 0; i < auth->ncredtype; i++) { @@ -3986,8 +3956,31 @@ remoteAuthPolkit(virConnectPtr conn, struct private_data *priv, VIR_DEBUG("PolicyKit-0 authentication complete"); return 0; } -# endif /* WITH_POLKIT0 */ -#endif /* WITH_POLKIT */ +#endif /* WITH_POLKIT0 */ + +static int +remoteAuthPolkit(virConnectPtr conn, struct private_data *priv, + virConnectAuthPtr auth ATTRIBUTE_UNUSED) +{ + remote_auth_polkit_ret ret; + VIR_DEBUG("Client initialize PolicyKit authentication"); + + memset(&ret, 0, sizeof(ret)); + if (call(conn, priv, 0, REMOTE_PROC_AUTH_POLKIT, + (xdrproc_t) xdr_void, (char *)NULL, + (xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) != 0) { + return -1; /* virError already set by call */ + } + +#if WITH_POLKIT0 + if (remoteAuthPolkit0(conn, priv, auth) < 0) + return -1; +#endif /* WITH_POLKIT0 */ + + VIR_DEBUG("PolicyKit authentication complete"); + return 0; +} + /*----------------------------------------------------------------------*/ static int