[Pkg-libvirt-maintainers] Bug#929133: base-passwd: The 'libvirt' group from virt-manager is not listed in users-and-groups

[Guido Günther]

Hi,
On Fri, May 17, 2019 at 10:01:58PM +0100, Colin Watson wrote:
> On Fri, May 17, 2019 at 02:14:27PM -0500, Karl O. Pinc wrote:
> > I notice that (on stretch) the 'libvirt' group, used by the
> > virt-manager package is not listed in
> > /usr/share/doc/base-passwd/users-and-groups*
> > 
> > I am unclear whether it should be listed, but it seems worth
> > an email.
> 
> Thanks for your report.  It isn't really feasible for that document to
> be comprehensive, but if the libvirt maintainer or somebody who knows it
> reasonably well wanted to contribute a description then I'd happily take
> it.

We have this in libvirt's README.Debian

-----
Access Control
==============
Access to the libvirt managing tasks is controlled by PolicyKit. To ease
configuration membership in the "libvirt" group is sufficient. If you want to
manage VMs as non-root you need to add a user to that group.

Note that this will allow users in this group to use all of libvirt's
API including modifying files on the host. For finer grained access
control have a look at libvirt's ACLs.

System QEMU/KVM processes are run as user and group libvirt-qemu. This can be
adjusted via /etc/libvirt/qemu.conf.
-----

So s.th. like

Access to the system libvirt daemon is controlled by that
group. Membership in this group gives full daemon access
including (but not restricted to) managing virtual machines.

Cheers,
 -- Guido

> 
> -- 
> Colin Watson                                       [cjwatson at debian.org]
> 
> _______________________________________________
> Pkg-libvirt-maintainers mailing list
> Pkg-libvirt-maintainers at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers