KVM unix socket file permission for VNC

I’m using kvm-qemu/libvirtd for a bunch of kvms. I’m using vnc for the graphical interface. By default, it listens on a tcp socket. I want to have it listen on a unix socket instead. Looking at some docs (http://libvirt.org/formatdomain.html) I see:

“Rather than using listen/port, QEMU supports a socket attribute for listening on a unix domain socket path”

I have this setup with the following xml:

<graphics type='vnc' socket='/tmp/lamptest.sock'/>

This is working, it creates the socket and everything goes through it. But it doesn’t have the permissions the way I would like them. It has them as such, which doesn’t allow me to use virt-manager with my user:

srwxr-xr-x  1 libvirt-qemu kvm

Instead I would like to have to have the socket with the following permissions:

srwxrwx---  1 root libvirtd

I haven’t found anyway to change this in the xml, and I would like to not have to manually change it whenever a kvm starts up. Anyone know if this can be configured somewhere?

EDIT:

looking at this patch link, it looks like that functionality doesn’t exist. I’ll poke through newer versions of the code to see if it was added, but I’m guessing I’ll need to submit a feature request and write a cron to fix file permissions in the mean time 🙁

Answer

looking in /etc/libvirt/libvirtd.conf:

# UNIX socket access controls
#

# Set the UNIX domain socket group ownership. This can be used to
# allow a 'trusted' set of users access to management capabilities
# without becoming root.
#
# This is restricted to 'root' by default.
#unix_sock_group = "libvirt"

# Set the UNIX socket permissions for the R/O socket. This is used
# for monitoring VM status only
#
# Default allows any user. If setting group ownership may want to
# restrict this to:
#unix_sock_ro_perms = "0777"

# Set the UNIX socket permissions for the R/W socket. This is used
# for full management of VMs
#
# Default allows only root. If PolicyKit is enabled on the socket,
# the default will change to allow everyone (eg, 0777)
#
# If not using PolicyKit and setting group ownership for access
# control then you may want to relax this to:
#unix_sock_rw_perms = "0770"

# Set the name of the directory in which sockets will be found/created.
#unix_sock_dir = "/var/run/libvirt"

Looks like unix_sock_group is the param you want.
Might be different between distributions.

Attribution
Source : Link , Question Author : vimalloc , Answer Author : dyasny

Leave a Comment