From nobody Mon May 6 23:50:29 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1494515095235113.53634872182386; Thu, 11 May 2017 08:04:55 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7B3E6C059750; Thu, 11 May 2017 15:04:50 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4A21217AD6; Thu, 11 May 2017 15:04:50 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id E4C8F1800C95; Thu, 11 May 2017 15:04:48 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v4BF4jSu005888 for ; Thu, 11 May 2017 11:04:45 -0400 Received: by smtp.corp.redhat.com (Postfix) id C521E17AD1; Thu, 11 May 2017 15:04:45 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-16.phx2.redhat.com [10.3.116.16]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8535E17ACE for ; Thu, 11 May 2017 15:04:45 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 7B3E6C059750 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 7B3E6C059750 From: John Ferlan To: libvir-list@redhat.com Date: Thu, 11 May 2017 11:04:40 -0400 Message-Id: <20170511150441.32038-2-jferlan@redhat.com> In-Reply-To: <20170511150441.32038-1-jferlan@redhat.com> References: <20170511150441.32038-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 1/2] virsh: Track when create pkttyagent X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 11 May 2017 15:04:51 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" https://bugzilla.redhat.com/show_bug.cgi?id=3D1374126 Due to how the processing for authentication using polkit works, the virshConnect code must first "attempt" an virConnectOpenAuth and then check for a "special" return error code VIR_ERR_AUTH_UNAVAILABLE in order to attempt to "retry" the authentication after performing a creation of a pkttyagent to handle the challenge/response for the client. However, if pkttyagent creation is not possible for the authentication being attempted (such as perhaps a "qemu+ssh://someuser@localhost/system"), then the same failure pattern would be returned and another attempt to create a pkttyagent would be done. This would continue "forever" until someone forced quit (e.g. ctrl-c) from virsh as the 'authfail' was not incremented when creating the pkttyagent. So add a 'agentCreated' boolean to track if we've attempted to create the agent at least once and force a failure if that creation returned the same error pattern. This resolves a possible never ending loop and will generate an error: error: failed to connect to the hypervisor error: authentication unavailable: no polkit agent available to authenticat= e action 'org.libvirt.unix.manage' NB: If the authentication was for a sufficiently privileged client, such as qemu+ssh://root@localhost/system, then the remoteDispatchAuthList "allows" the authentication to use libvirt since @callerUid would be 0. Signed-off-by: John Ferlan --- tools/virsh.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/virsh.c b/tools/virsh.c index 90f8125..1f5c2b1 100644 --- a/tools/virsh.c +++ b/tools/virsh.c @@ -145,6 +145,7 @@ virshConnect(vshControl *ctl, const char *uri, bool rea= donly) bool keepalive_forced =3D false; virPolkitAgentPtr pkagent =3D NULL; int authfail =3D 0; + bool agentCreated =3D false; =20 if (ctl->keepalive_interval >=3D 0) { interval =3D ctl->keepalive_interval; @@ -166,10 +167,12 @@ virshConnect(vshControl *ctl, const char *uri, bool r= eadonly) goto cleanup; =20 err =3D virGetLastError(); - if (err && err->domain =3D=3D VIR_FROM_POLKIT && + if (!agentCreated && + err && err->domain =3D=3D VIR_FROM_POLKIT && err->code =3D=3D VIR_ERR_AUTH_UNAVAILABLE) { if (!pkagent && !(pkagent =3D virPolkitAgentCreate())) goto cleanup; + agentCreated =3D true; } else if (err && err->domain =3D=3D VIR_FROM_POLKIT && err->code =3D=3D VIR_ERR_AUTH_FAILED) { authfail++; --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Mon May 6 23:50:29 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1494515106913495.59788853514203; Thu, 11 May 2017 08:05:06 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DB63680F90; Thu, 11 May 2017 15:05:02 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A4BDC76131; Thu, 11 May 2017 15:05:02 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 43256180BAF4; Thu, 11 May 2017 15:05:02 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v4BF4kgY005893 for ; Thu, 11 May 2017 11:04:46 -0400 Received: by smtp.corp.redhat.com (Postfix) id 5723317AD1; Thu, 11 May 2017 15:04:46 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-16.phx2.redhat.com [10.3.116.16]) by smtp.corp.redhat.com (Postfix) with ESMTP id 140FD17ACE for ; Thu, 11 May 2017 15:04:45 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com DB63680F90 Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com DB63680F90 From: John Ferlan To: libvir-list@redhat.com Date: Thu, 11 May 2017 11:04:41 -0400 Message-Id: <20170511150441.32038-3-jferlan@redhat.com> In-Reply-To: <20170511150441.32038-1-jferlan@redhat.com> References: <20170511150441.32038-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 2/2] virsh: Don't attempt polkit processing for non local authn/authz X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 11 May 2017 15:05:04 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" https://bugzilla.redhat.com/show_bug.cgi?id=3D1374126 Due to how the processing for authentication using polkit works, the virshConnect code must first "attempt" an virConnectOpenAuth and then check for a "special" return error code VIR_ERR_AUTH_UNAVAILABLE in order to attempt to "retry" the authentication after performing a creation of a pkttyagent to handle the challenge/response for the client. However, attempting to use a remote connection, (such as perhaps "qemu+ssh://someuser@localhost/system"), will cause a never ending loop since attempting to generate a pkttyagent would fail for the network client connection resulting in a never ending loop since the return code is always VIR_ERR_AUTH_UNAVAILABLE from virPolkitCheckAuth. The only way out of the loop is a forced quit (e.g. ctrl-c) as the @authfail wouldn't be incremented as a result of a failed authn from pkttyagent. So rather than take any extra step for which the only result will be a failure, let's check if there is a URI and if it's not using ":///", then just fail. This resolves the never ending loop and will generate an error: error: failed to connect to the hypervisor error: authentication unavailable: no polkit agent available to authenticat= e action 'org.libvirt.unix.manage' NB: If the authentication was for a sufficiently privileged client, such as qemu+ssh://root@localhost/system, then the remoteDispatchAuthList "allows" the authentication to use libvirt since @callerUid would be 0. Signed-off-by: John Ferlan --- tools/virsh.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/virsh.c b/tools/virsh.c index 1f5c2b1..be368ba 100644 --- a/tools/virsh.c +++ b/tools/virsh.c @@ -166,6 +166,11 @@ virshConnect(vshControl *ctl, const char *uri, bool re= adonly) if (readonly) goto cleanup; =20 + /* No URI or indication of a requesting a remote connection, then + * polkit will not work for the authentication/authorization */ + if (!uri || !(strstr(uri, ":///"))) + goto cleanup; + err =3D virGetLastError(); if (!agentCreated && err && err->domain =3D=3D VIR_FROM_POLKIT && --=20 2.9.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list