| 1 |
Let's start with generalized example so everyone gets the idea... |
| 2 |
|
| 3 |
Reference: man 8 pklocalauthority |
| 4 |
|
| 5 |
/etc/polkit-1/localauthority/10-vendor.d/example-udisks.pkla |
| 6 |
|
| 7 |
[Local users] |
| 8 |
Identity=unix-group:plugdev |
| 9 |
Action=org.freedesktop.udisks.* |
| 10 |
ResultAny=yes |
| 11 |
ResultInactive=yes |
| 12 |
ResultActive=yes |
| 13 |
|
| 14 |
The above file would grant permission with or without active local |
| 15 |
ConsoleKit session to users in plugdev group to everything udisks handles. |
| 16 |
|
| 17 |
Notice that getting active ConsoleKit session you are now required to |
| 18 |
use PAM, or Display Manager like GDM with internal ConsoleKit support. |
| 19 |
|
| 20 |
Note that the PAM method requires you to have CONFIG_AUDITSYSCALL=y |
| 21 |
support enabled in kernel to get valid sessionid string and not all |
| 22 |
minor archs support this kernel option. |
| 23 |
|
| 24 |
|
| 25 |
We could have similar .pkla files also for other stuff like bluetooth, |
| 26 |
networkmanager, shutdown/reboot, suspend and hibernate (upower), and the |
| 27 |
list continues. |
| 28 |
|
| 29 |
The benefits are somewhat clear, things would work out of box for remote |
| 30 |
users beloging to right group, PAM-less users, as well as minor arches. |
| 31 |
|
| 32 |
The downside of this is that most users would propably end up using this |
| 33 |
as workaround for inactive ConsoleKit sessions that should really be |
| 34 |
local, but the user is just failing to configure his system in proper |
| 35 |
state to gain it (launching the X wrong way, wrong kernel opts, ...) |
| 36 |
|
| 37 |
And if we want this, should we stick to generalized plugdev group? |
| 38 |
|
| 39 |
Or perhaps group wheel for shutdown/reboot. Group storage for udisks. |
| 40 |
Group power for upower (hibernate, suspend). Group bluetooth for bluez. |
| 41 |
Group network for networkmanager? (Just throwing ideas...) |
| 42 |
|
| 43 |
So... any comments before I just pick what I think is best and commit |
| 44 |
the .pkla files (or not). I'm really 50-50 on this... |
| 45 |
|
| 46 |
Would like to get this decided before p.masking HAL. |
Archives