I created a polkit rule to allow all users in the libvirt
group to execute org.libvirt.unix.manage
. The KDE password prompt shows the exact polkit action (another area of empowering UI )
So I added this rule
cat /etc/polkit-1/rules.s/org.libvirt.unix.manage.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
subject.isInGroup("libvirt")) {
return polkit.Result.YES;
}
});
Added my user to the group
sudo -i
groupadd libvirt
usermod -aG libvirt user
But I get this??
groups
user user user user
And no matter how often I repeat, my user doesnt seem to get added to that group, whereas flatpak
and plugdev
do.
I think this goal is quite important.
There are many deployments, especially for autoupdating (atomic) systems, where an admin may want to set things up once, and then barely have to touch it again.
Imagine
school âChromebooksâ
child/parent laptops ;D
company workstations
âŠ
Having this working is not a huge issue but requires some small adaptions. dnfand rpm-ostree need to work without sudo rights. There need to be dedicated groups for privileged actions, to avoid needing to be in the wheeâŠ
ersen
(ersen)
June 7, 2024, 1:16pm
2
Did you logout and login again after usermod
command?
1 Like
boredsquirrel:
usermod -aG libvirt user
I always run that command as usermod -a -G libvirt user
(note that the options are separated)
You can also check very easily if the user is added to the group by running grep user /etc/group
to see exactly which groups that user is a member of.
$ groups
ME wheel cdrom dialout audio vboxusers boinc libvirt pipewire
$ grep ME /etc/group
wheel:x:10:ME
cdrom:x:11:ME
dialout:x:18:ME
audio:x:63:ME
pipewire:x:992:ME
libvirt:x:985:ME
ME:x:1000:
boinc:x:975:ME
vboxusers:x:970:ME
As noted adding a user to a group does not take effect until that user logs out and back in. Opening a new terminal does not count in this respect.
1 Like
ersen
(ersen)
June 8, 2024, 8:14am
4
I always run it as gpasswd -a user libvirt
, it doesnât have a chance to wipe all the userâs groups in case of an accidental missing option.
2 Likes
@ersen yes of course
@computersavvy that command had the same result
>> sudo groupadd libvirt
# group already exists
>> sudo usermod -aG libvirt user
>> sudo usermod -a -G libvirt user
>> sudo usermod -aG libvirt $USER
# reboot
>> id
uid=1001(user) gid=1001(user) Gruppen=1001(user),10(wheel),1000(admin),1002(plugdev) Kontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> groups
user wheel admin plugdev
>> gpasswd -a user libvirt
gpasswd: Group »libvirt« does not exist in /etc/group.
vgaetera
(Vladislav Grigoryev)
June 15, 2024, 2:10pm
7
2 Likes
damn didnt know that, because all the other groups worked?
But now I am also more interested in using libvirt in user mode as @siosm suggested. I could not find much about this, not yet digging in the docs.
This would be my wished solution and a change for Fedora to use that by default sounds like a good idea for security, as access to the libvirt daemon allows root on the host OS.
vgaetera
(Vladislav Grigoryev)
June 15, 2024, 10:58pm
9
I mostly use session mode as it is suitable for workstation related tasks, but keep in mind that it does not support all features.
Using system mode is still necessary to manage virtual networks, utilize VM autostart, access guests over SSH by their VM name with NSS, etc.
See also:
2 Likes