From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] Change the default libvirt remote user to libvirt-remote
Date: Thu, 09 Jun 2016 14:44:40 +0100
Message-ID: <1465479880.24121.141.camel@ipfire.org>
In-Reply-To: <1465404243-20148-1-git-send-email-jonatan.schlag@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8955709577320721092=="
List-Id: <development.lists.ipfire.org>

--===============8955709577320721092==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

what is the reason that you are creating a password for that user? Generally
that is not required. And this will be unknown to the user any ways.

Is the user supposed to log in with this user?

If so they can give that user a password themselves.

Would this still work when logging in as the root user?

You will need some bits in the install.sh script that detects if the user
already exists (after install, uninstall, install). You get use getent for th=
at.

On Wed, 2016-06-08 at 18:44 +0200, Jonatan Schlag wrote:
> It is possible to communicate per ssh via a socket with libvirt. It is
> not a good idea to do this as root, so the remote user is now
> libvirt-remote. Only this user or users in the group libvirt-remote can
> communicate with the socket.
> The user libvirt-remote is created with a random 64 characters long
> password which can changed after the
> installation.
>=20
> Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
> ---
> =C2=A0lfs/libvirt=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0|=C2=A0=C2=A03 +-
> =C2=A0src/paks/libvirt/install.sh=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0|=C2=A0=C2=A04 ++
> =C2=A0...hange-options-in-libvirtd.conf-for-IPFire.patch | 43
> ++++++++++++++++++++++
> =C2=A03 files changed, 49 insertions(+), 1 deletion(-)
> =C2=A0create mode 100644 src/patches/libvirt/0002-Change-options-in-libvirt=
d.conf-
> for-IPFire.patch
>=20
> diff --git a/lfs/libvirt b/lfs/libvirt
> index b18364b..3c7413f 100644
> --- a/lfs/libvirt
> +++ b/lfs/libvirt
> @@ -33,7 +33,7 @@ DIR_APP=C2=A0=C2=A0=C2=A0=C2=A0=3D $(DIR_SRC)/$(THISAPP)
> =C2=A0TARGET=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=3D $(DIR_INFO)/$(THISAPP)
> =C2=A0SUP_ARCH=C2=A0=C2=A0=C2=A0=3D i586 x86_64
> =C2=A0PROG=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=3D libvirt
> -PAK_VER=C2=A0=C2=A0=C2=A0=C2=A0=3D 1
> +PAK_VER=C2=A0=C2=A0=C2=A0=C2=A0=3D 2
> =C2=A0
> =C2=A0DEPS=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=3D "libpciaccess libya=
jl ncat qemu"
> =C2=A0
> @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> =C2=A0	@$(PREBUILD)
> =C2=A0	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
> =C2=A0	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0001-
> Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch
> +	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0002-
> Change-options-in-libvirtd.conf-for-IPFire.patch
> =C2=A0	cd $(DIR_APP) && ./configure --prefix=3D/usr --localstatedir=3D/var =
--
> sysconfdir=3D/etc \
> =C2=A0			--with-openssl --without-sasl \
> =C2=A0			--without-uml --without-vbox --without-lxc --without-
> esx --without-vmware --without-openvz \
> diff --git a/src/paks/libvirt/install.sh b/src/paks/libvirt/install.sh
> index 2832197..5eee5a3 100644
> --- a/src/paks/libvirt/install.sh
> +++ b/src/paks/libvirt/install.sh
> @@ -22,6 +22,10 @@
> =C2=A0#####################################################################=
#######
> =C2=A0#
> =C2=A0. /opt/pakfire/lib/functions.sh
> +
> +# creates a new user called libvirt-remote with a random 64 characters long
> password
> +useradd -s /bin/bash -m=C2=A0=C2=A0-p $(cat /dev/urandom | tr -dc 'a-zA-Z0=
-9' | fold -w
> 64 | head -n 1) "libvirt-remote"
> +
> =C2=A0extract_files
> =C2=A0start_service --delay 300 --background ${NAME}
> =C2=A0ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd
> diff --git a/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-
> IPFire.patch b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-
> IPFire.patch
> new file mode 100644
> index 0000000..ed685e8
> --- /dev/null
> +++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-
> IPFire.patch
> @@ -0,0 +1,43 @@
> +From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 2001
> +From: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
> +Date: Mon, 6 Jun 2016 19:40:50 +0200
> +Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire
> +
> +Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
> +---
> + daemon/libvirtd.conf | 6 +++---
> + 1 file changed, 3 insertions(+), 3 deletions(-)
> +
> +diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
> +index ac06cdd..1a41914 100644
> +--- a/daemon/libvirtd.conf
> ++++ b/daemon/libvirtd.conf
> +@@ -87,14 +87,14 @@
> + # without becoming root.
> + #
> + # This is restricted to 'root' by default.
> +-#unix_sock_group =3D "libvirt"
> ++unix_sock_group =3D "libvirt-remote"

This says group and not user...

> +=C2=A0
> + # Set the UNIX socket permissions for the R/O socket. This is used
> + # for monitoring VM status only
> + #
> + # Default allows any user. If setting group ownership, you may want to
> + # restrict this too.
> +-#unix_sock_ro_perms =3D "0777"
> ++unix_sock_ro_perms =3D "0770"
> +=C2=A0
> + # Set the UNIX socket permissions for the R/W socket. This is used
> + # for full management of VMs
> +@@ -104,7 +104,7 @@
> + #
> + # If not using PolicyKit and setting group ownership for access
> + # control, then you may want to relax this too.
> +-#unix_sock_rw_perms =3D "0770"
> ++unix_sock_rw_perms =3D "0770"
> +=C2=A0
> + # Set the UNIX socket permissions for the admin interface socket.
> + #
> +--=C2=A0
> +2.1.4
> +

-Michael

--===============8955709577320721092==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC
Q2dBR0JRSlhXWExJQUFvSkVJQjU4UDl2a0FrSFV3VVAvamh4azhiVkxYSmV0L0lzNXpYU0IxbmMK
Z3lSNHkrVkV5b05XRHM2WXg5THg0eThlUlZoQmptN0Y1SUFJcHpVK2NoejVZS2RGR3VraU1LK1hx
VE1IUnJoWQpGNmJad1hya2hXZzdRMDhXcUlBQWI2ZHBIeE5aN1VMSE5hSC9HUW5RYXI0QzZEOHpU
a3g1VllYdmhXQWNGVkI2CnBtWjdzZ2xUKzhLQm1DYzZuUU1MeU9WMVVzM2I3SmVSclUzVGVaWU9P
cTcvRWpzSkhvQjBpT0lYVWQzaVBBUEMKeThQZkZqRU9ORGg4dUZNQVppMTYrNmd0V2U2aWZRYjVx
Q0VRbE1STHB0bWJxK2RUZEIxOXFOd1E4aENmdmNmLwp3bGltem5GVktxdStsYmhmcWpCM1RxQzBz
OHZtYVB6b0VvQlZpN0lSRFJ1T1FzelhYVG0zVnRIMCtyRDBKdC90CnEwV1drSlhBU2gxYngzK0Nk
OUR6SGd0LzhuTXQ3eHFUV0JRbG1rS05mSnRKZy9UUGJkRHFhL1pOUHZEbmt4ME0Ka1ZacmlZZWJx
K1R6THdHb0hFR3BKdGs4Y1A1SU1mQUtYMTlCNWV6LzJwWTZCbStqdllSSUVBTGNEaFB0VXB6eApp
dHVmQWJjdlNQUStoNWpNWmJmVkpZRXRKbWdNSExSbkVtV0c2bG00NmQ3VndITUpmMFpLVDdYYTFY
RUhSckZ6ClhIam5FUnBuQnkyTzdqNm4zd0sxQ1orUE85TW9mbk5mcW9QU3NDRjc3VVBHdkZ4K01u
dXBZSVI5VjJzbThadG0KdFVxOTR3VUhYbElRcS9GemxRdVVaUWEzZjVyZktqK2w4ckNKLzVkODB3
NUo5ZnU2UlZXb1lQQTFCR0krR3V3dQpUQW9RelAwNXZ4bjVuRjJjYlZtUgo9bGYyRwotLS0tLUVO
RCBQR1AgU0lHTkFUVVJFLS0tLS0K

--===============8955709577320721092==--