diff --git a/src/remote/libvirtd.conf.in b/src/remote/libvirtd.conf.in index ad049f6..79e5c20 100644 --- a/src/remote/libvirtd.conf.in +++ b/src/remote/libvirtd.conf.in @@ -160,24 +160,25 @@ # connections. The default policy still allows any local # user access. # +# Mageia note: +# Polkit is the default authentication scheme for the read-only +# socket. libvirt will authenticate read-only socket connections +# with polkit, but the default polkit policy allows any local +# user access to libvirt's monitoring APIs. +# # To restrict monitoring of domains you may wish to either # enable 'sasl' here, or change the polkit policy definition. #auth_unix_ro = "@default_auth@" # Set an authentication scheme for UNIX read-write sockets. # -# If libvirt was compiled without support for 'polkit', then -# the systemd .socket files will use SocketMode=0600 by default -# thus only allowing root user to connect, and 'auth_unix_rw' -# will default to 'none'. -# -# If libvirt was compiled with support for 'polkit', then -# the systemd .socket files will use SocketMode=0666 which -# allows any user to connect and 'auth_unix_rw' will default -# to 'polkit'. If you disable use of 'polkit' here, then it -# is essential to change the systemd SocketMode parameter -# back to 0600, to avoid an insecure configuration. -# +# Mageia note: +# Polkit is the default authentication scheme for the read-write +# socket. The systemd .socket file uses SocketMode=0666, which +# allows any user to connect. However, the default polkit policy +# will only authenticate the root user. If you disable use of +# 'polkit' here, then it is essential to change the systemd +# SocketMode parameter to 0600 to avoid an insecure configuration. #auth_unix_rw = "@default_auth@" @CUT_ENABLE_IP@