Re: [Qemu-devel] [PATCH v5 10/11] authz: add QAuthZPAM object type for authorizing using PAM

["Daniel P. Berrangé" <berrange@redhat.com>]

On Fri, Oct 19, 2018 at 12:02:57PM +0200, Philippe Mathieu-Daudé wrote:
> On 09/10/2018 15:04, Daniel P. Berrangé wrote:
> > From: "Daniel P. Berrange" <berrange@redhat.com>
> > 
> > Add an authorization backend that talks to PAM to check whether the user
> > identity is allowed. This only uses the PAM account validation facility,
> > which is essentially just a check to see if the provided username is permitted
> > access. It doesn't use the authentication or session parts of PAM, since
> > that's dealt with by the relevant part of QEMU (eg VNC server).
> > 
> > Consider starting QEMU with a VNC server and telling it to use TLS with
> > x509 client certificates and configuring it to use an PAM to validate
> > the x509 distinguished name. In this example we're telling it to use PAM
> > for the QAuthZ impl with a service name of "qemu-vnc"
> > 
> >  $ qemu-system-x86_64 \
> >      -object tls-creds-x509,id=tls0,dir=/home/berrange/security/qemutls,\
> >              endpoint=server,verify-peer=yes \
> >      -object authz-pam,id=authz0,service=qemu-vnc \
> >      -vnc :1,tls-creds=tls0,tls-authz=authz0
> > 
> > This requires an /etc/pam/qemu-vnc file to be created with the auth
> > rules. A very simple file based whitelist can be setup using
> > 
> >   $ cat > /etc/pam/qemu-vnc <<EOF
> >   account         requisite       pam_listfile.so item=user sense=allow file=/etc/qemu/vnc.allow
> >   EOF
> > 
> > The /etc/qemu/vnc.allow file simply contains one username per line. Any
> > username not in the file is denied. The usernames in this example are
> > the x509 distinguished name from the client's x509 cert.
> > 
> >   $ cat > /etc/qemu/vnc.allow <<EOF
> >   CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB
> >   EOF
> > 
> > More interesting would be to configure PAM to use an LDAP backend, so
> > that the QEMU authorization check data can be centralized instead of
> > requiring each compute host to have file maintained.
> > 
> > The main limitation with this PAM module is that the rules apply to all
> > QEMU instances on the host. Setting up different rules per VM, would
> > require creating a separate PAM service name & config file for every
> > guest. An alternative approach for the future might be to not pass in
> > the plain username to PAM, but instead combine the VM name or UUID with
> > the username. This requires further consideration though.
> > 
> > Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> > ---
> >  authz/Makefile.objs     |   3 +
> >  authz/pamacct.c         | 149 ++++++++++++++++++++++++++++++++++++++++
> >  authz/trace-events      |   3 +
> >  configure               |  37 ++++++++++
> >  include/authz/pamacct.h | 100 +++++++++++++++++++++++++++
> >  qemu-options.hx         |  35 ++++++++++
> >  6 files changed, 327 insertions(+)
> >  create mode 100644 authz/pamacct.c
> >  create mode 100644 include/authz/pamacct.h

[snip]

> Since this one links another lib, can we have a simple unit test?

I would like to have been able to test this, but AFAICT, it is not
possible to test without having the pam service config file added
into /etc/pam.d/, which we obviously can't do from a unit test
in QEMU :-(

> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|