We currently refuse to connect to remote libvirtd over SSH if we see the
path ends in /session. Earlier on though we checked for /session and set
the VIR_DRV_OPEN_REMOTE_USER flag. There is one subtle distinction
though with the test driver. All test URIs are marked with this flag,
regardless of whether the URI indicates a local or remote connection.
Previously a local connection to the test driver would have used the
unprivileged libvirtd while a remote connection would have tried the
privileged libvirtd. With this we are consistent and use the
unprivileged for both local & remote, if the current user is non-root.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 src/remote/remote_driver.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 0a37a63e8d..e1eaa56230 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -1002,7 +1002,7 @@ doRemoteOpen(virConnectPtr conn,
     case trans_libssh2:
         if (!sockname) {
             /* Right now we don't support default session connections */
-            if (STREQ_NULLABLE(conn->uri->path, "/session")) {
+            if (flags & VIR_DRV_OPEN_REMOTE_USER) {
                 virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
                                _("Connecting to session instance without "
                                  "socket path is not supported by the libssh2 "
@@ -1037,7 +1037,7 @@ doRemoteOpen(virConnectPtr conn,
     case trans_libssh:
         if (!sockname) {
             /* Right now we don't support default session connections */
-            if (STREQ_NULLABLE(conn->uri->path, "/session")) {
+            if (flags & VIR_DRV_OPEN_REMOTE_USER) {
                 virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
                                _("Connecting to session instance without "
                                  "socket path is not supported by the libssh "
@@ -1103,7 +1103,7 @@ doRemoteOpen(virConnectPtr conn,
 
         if (!sockname) {
             /* Right now we don't support default session connections */
-            if (STREQ_NULLABLE(conn->uri->path, "/session")) {
+            if (flags & VIR_DRV_OPEN_REMOTE_USER) {
                 virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
                                _("Connecting to session instance without "
                                  "socket path is not supported by the ssh "
-- 
2.21.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

On 6/19/19 12:43 PM, Daniel P. Berrangé wrote:
> We currently refuse to connect to remote libvirtd over SSH if we see the
> path ends in /session. Earlier on though we checked for /session and set
> the VIR_DRV_OPEN_REMOTE_USER flag. There is one subtle distinction
> though with the test driver. All test URIs are marked with this flag,
> regardless of whether the URI indicates a local or remote connection.
> Previously a local connection to the test driver would have used the
> unprivileged libvirtd while a remote connection would have tried the
> privileged libvirtd. With this we are consistent and use the
> unprivileged for both local & remote, if the current user is non-root.
> 
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
>   src/remote/remote_driver.c | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

Michal

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list