Change the default libvirt remote user to libvirt-remote

It is possible to communicate per ssh via a socket with libvirt. It is not a good idea to do this as root, so the remote user is now libvirt-remote. Only this user or users in the group libvirt-remote can communicate with the socket. The user libvirt-remote is created without a password. The users have to set a password for this user after installation. Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2016-06-10 10:57:13 +02:00
parent 6c2720cac6
commit 77d989a667
3 changed files with 51 additions and 1 deletions
--- a/lfs/libvirt
+++ b/lfs/libvirt
@@ -33,7 +33,7 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 SUP_ARCH   = i586 x86_64
 PROG       = libvirt
-PAK_VER    = 1
+PAK_VER    = 2

 DEPS       = "libpciaccess libyajl ncat qemu"

@@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0001-Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch
 	cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc \
 			--with-openssl --without-sasl \
 			--without-uml --without-vbox --without-lxc --without-esx --without-vmware --without-openvz \
--- a/src/paks/libvirt/install.sh
+++ b/src/paks/libvirt/install.sh
@@ -22,6 +22,12 @@
 ############################################################################
 #
 . /opt/pakfire/lib/functions.sh
+
+# creates a new user and group called libvirt-remote if they not exist
+getent group libvirt-remote >/dev/null || groupadd  libvirt-remote
+getent passwd libvirt-remote >/dev/null || \
+useradd -m -g libvirt-remote -s /bin/bash "libvirt-remote"
+
 extract_files
 start_service --delay 300 --background ${NAME}
 ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd
--- a/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch
+++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch
@@ -0,0 +1,43 @@
+From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 2001
+From: Jonatan Schlag <jonatan.schlag@ipfire.org>
+Date: Mon, 6 Jun 2016 19:40:50 +0200
+Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire
+
+Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
+---
+ daemon/libvirtd.conf | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
+index ac06cdd..1a41914 100644
+--- a/daemon/libvirtd.conf
+++ b/daemon/libvirtd.conf
+@@ -87,14 +87,14 @@
+ # without becoming root.
+ #
+ # This is restricted to 'root' by default.
+-#unix_sock_group = "libvirt"
+unix_sock_group = "libvirt-remote"
+ 
+ # Set the UNIX socket permissions for the R/O socket. This is used
+ # for monitoring VM status only
+ #
+ # Default allows any user. If setting group ownership, you may want to
+ # restrict this too.
+-#unix_sock_ro_perms = "0777"
+unix_sock_ro_perms = "0770"
+ 
+ # Set the UNIX socket permissions for the R/W socket. This is used
+ # for full management of VMs
+@@ -104,7 +104,7 @@
+ #
+ # If not using PolicyKit and setting group ownership for access
+ # control, then you may want to relax this too.
+-#unix_sock_rw_perms = "0770"
+unix_sock_rw_perms = "0770"
+ 
+ # Set the UNIX socket permissions for the admin interface socket.
+ #
+-- 
+2.1.4
+