How do I prevent virt-manager from asking for the root password?

When starting virt-manager, it asks for the root password.

It looks like virt-manager causes the libvirtd daemon to run pkcheck with a couple of arguments, which then shows this authentication dialog. So it's PolicyKit who's asking for the root password.

The official website (libvirt.org) describes how to define a PolicyKit rule to get rid of the password prompt:

$ sudo cat /etc/polkit-1/localauthority/50-local.d/50-org.example-libvirt-remote-access.pkla
[libvirt Management Access]
Identity=unix-group:libvirt
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes

The subdirectory "localauthority" did not exist. Creating it and putting a file with that name and content (libvirt -> my group name) in there does not seem to have any effect. Also, there's a default file, which uses JavaScript syntax:

/etc/polkit-1/rules.d/50-default.rules

This package is installed on the system, plus a few DE frontends:

polkit-0.107-4.fc18.x86_64

Apparently the example configuration on libvirt.org is outdated?

What configuration is necessary to get rid of the password prompt (for a specific user group)?

basic6

Posted 2013-02-08T14:31:57.513

Reputation: 2 032

Answers

/etc/polkit-1/rules.d/10.virt.rules:

polkit.addRule(function(action, subject) {
    if (action.id == "org.libvirt.unix.manage"
            && subject.local
            && subject.active
            && subject.isInGroup("libvirt")) {
        return polkit.Result.YES;
    }
});

You'll have to perform common steps including restarting policykit and starting a new session with the respective user after adding him to the libvirt group.

It looks like the resource is about Fedora 18 but it uses the javascript syntax already so it's most probably valid for Fedora 19 as well.

Links:

Pavel Šimerda

Posted 2013-02-08T14:31:57.513

Reputation: 712

How does this compare to adding the user to the libvirt group? I tested adding the user to the libvirt group and then the additional authentication wasn't required. – jwbensley – 2017-03-02T18:16:21.160

1@jwbensley The polkit way is dynamic and gives the permissions to the owner of the active local session. The group way is static and gives the privilege to that specific user. Choose your ways as you see fit. – Pavel Šimerda – 2017-03-07T18:18:42.620

1This solution works! Thanks for the links as well. Bounty awarded. – senorsmile – 2013-10-15T21:43:27.863

Sorry for the wrong formatting, fixed that. – Pavel Šimerda – 2013-10-16T07:05:27.497

The password prompt was made for system security so if you do this might make it vulnerable.

Create the Group group on your machine. or you can run this "sudo groupadd -r Group"
You can any user you want to this system group by runing "sudo usermod -a -G Group User"
Now you need to create our PolicyKit policy that will allow the users of Group to run virt-manager

you will create a file at this path:"/etc/polkit-1/localauthority/50-local.d/50-org.Group-libvirt-local-access.pkla"
and you will put lines below in it

[Allow group Group libvirt management permissions]
Identity=unix-group:Group
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes

Thats all you needed to do now you can run it. And i hope this helps you.

poqdavid

Posted 2013-02-08T14:31:57.513

Reputation: 441

This is the old solution. This solution does NOT work on newer systemd based Linux operating systems, such as Fedora 19 or Current Arch. (I just tested it. There is not even a localauthority directory, and creating, the subfolder and the specified file do nothing). – senorsmile – 2013-10-15T14:51:17.133

@senorsmile Did you file a bug report with Fedora 19? – Pavel Šimerda – 2013-10-15T17:27:49.013