[Pkg-libvirt-maintainers] Bug#768376: Bug#768376: libvirt-daemon-system: Please downgrade policykit-1 dependency to recommends

[Reco]

On Fri, 7 Nov 2014 08:46:42 +0100
Guido Günther <agx at sigxcpu.org> wrote:

> Having polkit installed and doing nothing (for people switching to
> socke based permission checks) is IMHO a better service to our users
> than having all the bugs for people installing without recommends (and
> there are many of those). Disabling polkit requires a bit of detailed
> knowledge to not introduce security holes e.g. via the socket
> activation file.

I agree that libvirtd insists on using 'polkit' authentication by
default. I disagree that there's special knowledge required for
disabling 'polkit' correctly it as all that's really required is to
uncomment unix_sock_group, unix_sock_ro_perms and unix_sock_rw_perms in
libvirtd.conf (which has sane defaults for these), and to change
auth_unix_ro and auth_unix_rw to none.

And in absence of running policykit-1 libvirt simply does not allow
anyone other than root using its sockets (which is the most secure
default setting IMO).


> I'll leave this open to hear about other opinions but I don't see any
> drawbacks on depending on polkit by default.

Introducing yet another privilege escalation mechanism on unsuspecting
servers is a drawback in my book. Especially if said mechanism has
less-than-stellar security record.


At least, please update NEWS.Debian (or README.Debian) for libvirt with
explanation of libvirt's usage of policykit-1.

Reco