1 |
Let's start with generalized example so everyone gets the idea... |
2 |
|
3 |
Reference: man 8 pklocalauthority |
4 |
|
5 |
/etc/polkit-1/localauthority/10-vendor.d/example-udisks.pkla |
6 |
|
7 |
[Local users] |
8 |
Identity=unix-group:plugdev |
9 |
Action=org.freedesktop.udisks.* |
10 |
ResultAny=yes |
11 |
ResultInactive=yes |
12 |
ResultActive=yes |
13 |
|
14 |
The above file would grant permission with or without active local |
15 |
ConsoleKit session to users in plugdev group to everything udisks handles. |
16 |
|
17 |
Notice that getting active ConsoleKit session you are now required to |
18 |
use PAM, or Display Manager like GDM with internal ConsoleKit support. |
19 |
|
20 |
Note that the PAM method requires you to have CONFIG_AUDITSYSCALL=y |
21 |
support enabled in kernel to get valid sessionid string and not all |
22 |
minor archs support this kernel option. |
23 |
|
24 |
|
25 |
We could have similar .pkla files also for other stuff like bluetooth, |
26 |
networkmanager, shutdown/reboot, suspend and hibernate (upower), and the |
27 |
list continues. |
28 |
|
29 |
The benefits are somewhat clear, things would work out of box for remote |
30 |
users beloging to right group, PAM-less users, as well as minor arches. |
31 |
|
32 |
The downside of this is that most users would propably end up using this |
33 |
as workaround for inactive ConsoleKit sessions that should really be |
34 |
local, but the user is just failing to configure his system in proper |
35 |
state to gain it (launching the X wrong way, wrong kernel opts, ...) |
36 |
|
37 |
And if we want this, should we stick to generalized plugdev group? |
38 |
|
39 |
Or perhaps group wheel for shutdown/reboot. Group storage for udisks. |
40 |
Group power for upower (hibernate, suspend). Group bluetooth for bluez. |
41 |
Group network for networkmanager? (Just throwing ideas...) |
42 |
|
43 |
So... any comments before I just pick what I think is best and commit |
44 |
the .pkla files (or not). I'm really 50-50 on this... |
45 |
|
46 |
Would like to get this decided before p.masking HAL. |