Open boredsquirrel opened 1 year ago
Virt-manager:
sudo usermod -a -G libvirt $(whoami)
sudo sed -i 's/#unix_sock_group = "libvirt"/unix_sock_group = "libvirt"/g' /etc/libvirt/libvirtd.conf
sudo sed -i 's/#unix_sock_ro_perms = "0777"/unix_sock_ro_perms = "0777"/g' /etc/libvirt/libvirtd.conf
sudo systemctl restart libvirtd.service
systemctl status libvirtd.service
Add Polkit rule:
printf """polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" && subject.local && subject.active && subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});""" | sudo tee /etc/polkit-1/rules.d/80-libvirt-manage.rules
Now it works. I actually dont know the polkit details, maybe the first codeblock is not needed. I can try to redo the changes and see if it works just with Polkit, as just the first changes didnt work.
Polkit changes for allowing to open Luks drives (KDE team will fix the unnessecary password prompt)
printf """polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.udisks2.encrypted-unlock-system" && subject.local && subject.active && subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
""" | sudo tee /etc/polkit-1/rules.d/80-udisks2-encrypted-unlock.rules
printf """polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.udisks2.filesystem-mount-system" && subject.local && subject.active && subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
""" | sudo tee /etc/polkit-1/rules.d/80-udisks2-mount.rules
I cant believe it works!
The current rules only apply to wheel users, but I think this is also the norm. Non-sudoers should maybe not be allowed to do these tasks, I dont know children or something?
It doesnt feel like a good protection, for example having secret stuff in a VM or on a LUKS drive, and the only thing hindering your child or anyone from accessing it is the sudoers password.
sddm themes:
printf """polkit.addRule(function(action, subject) {
if (action.id == org.kde.kcontrol.kcmsddm.save && subject.local && subject.active && subject.isInGroup(wheel)) {
return polkit.Result.YES;
}
});""" | sudo tee /etc/polkit-1/rules.d/80-sddm-kcm-allow.rules
what about the mounting of luks drives?
i have another drive that is encrypted. When you save the password in KWallet (password manager) mounting should work automatically, but it does not because polkit wants authentification for udisks2. This can be turned to "always yes"
Lets collect tasks where you shouldnt need sudo for here:
Virt-manager because virtualization should be an easy tool on this System.
Mounting LUKS drives requires sudo too, which can be avoided
Adding this script makes future mods easier: