| 1 |
On Mon, May 16, 2011 at 5:15 PM, Samuli Suominen <ssuominen@g.o> wrote: |
| 2 |
> Let's start with generalized example so everyone gets the idea... |
| 3 |
> |
| 4 |
> Reference: man 8 pklocalauthority |
| 5 |
> |
| 6 |
> /etc/polkit-1/localauthority/10-vendor.d/example-udisks.pkla |
| 7 |
> |
| 8 |
> [Local users] |
| 9 |
> Identity=unix-group:plugdev |
| 10 |
> Action=org.freedesktop.udisks.* |
| 11 |
> ResultAny=yes |
| 12 |
> ResultInactive=yes |
| 13 |
> ResultActive=yes |
| 14 |
> |
| 15 |
> The above file would grant permission with or without active local |
| 16 |
> ConsoleKit session to users in plugdev group to everything udisks handles. |
| 17 |
> |
| 18 |
> Notice that getting active ConsoleKit session you are now required to |
| 19 |
> use PAM, or Display Manager like GDM with internal ConsoleKit support. |
| 20 |
> |
| 21 |
> Note that the PAM method requires you to have CONFIG_AUDITSYSCALL=y |
| 22 |
> support enabled in kernel to get valid sessionid string and not all |
| 23 |
> minor archs support this kernel option. |
| 24 |
|
| 25 |
Does the handbook mention this? |
| 26 |
|
| 27 |
> |
| 28 |
> |
| 29 |
> We could have similar .pkla files also for other stuff like bluetooth, |
| 30 |
> networkmanager, shutdown/reboot, suspend and hibernate (upower), and the |
| 31 |
> list continues. |
| 32 |
> |
| 33 |
> The benefits are somewhat clear, things would work out of box for remote |
| 34 |
> users beloging to right group, PAM-less users, as well as minor arches. |
| 35 |
> |
| 36 |
> The downside of this is that most users would propably end up using this |
| 37 |
> as workaround for inactive ConsoleKit sessions that should really be |
| 38 |
> local, but the user is just failing to configure his system in proper |
| 39 |
> state to gain it (launching the X wrong way, wrong kernel opts, ...) |
| 40 |
|
| 41 |
As long as this is documented somewhere, I don't think users should |
| 42 |
have to screw with anything too much to get this stuff working. God |
| 43 |
knows I don't want to. |
| 44 |
|
| 45 |
> |
| 46 |
> And if we want this, should we stick to generalized plugdev group? |
| 47 |
> |
| 48 |
> Or perhaps group wheel for shutdown/reboot. Group storage for udisks. |
| 49 |
> Group power for upower (hibernate, suspend). Group bluetooth for bluez. |
| 50 |
> Group network for networkmanager? (Just throwing ideas...) |
| 51 |
> |
| 52 |
> So... any comments before I just pick what I think is best and commit |
| 53 |
> the .pkla files (or not). I'm really 50-50 on this... |
| 54 |
> |
| 55 |
> Would like to get this decided before p.masking HAL. |
| 56 |
> |
| 57 |
> |
Archives