1 |
On Mon, May 16, 2011 at 5:15 PM, Samuli Suominen <ssuominen@g.o> wrote: |
2 |
> Let's start with generalized example so everyone gets the idea... |
3 |
> |
4 |
> Reference: man 8 pklocalauthority |
5 |
> |
6 |
> /etc/polkit-1/localauthority/10-vendor.d/example-udisks.pkla |
7 |
> |
8 |
> [Local users] |
9 |
> Identity=unix-group:plugdev |
10 |
> Action=org.freedesktop.udisks.* |
11 |
> ResultAny=yes |
12 |
> ResultInactive=yes |
13 |
> ResultActive=yes |
14 |
> |
15 |
> The above file would grant permission with or without active local |
16 |
> ConsoleKit session to users in plugdev group to everything udisks handles. |
17 |
> |
18 |
> Notice that getting active ConsoleKit session you are now required to |
19 |
> use PAM, or Display Manager like GDM with internal ConsoleKit support. |
20 |
> |
21 |
> Note that the PAM method requires you to have CONFIG_AUDITSYSCALL=y |
22 |
> support enabled in kernel to get valid sessionid string and not all |
23 |
> minor archs support this kernel option. |
24 |
|
25 |
Does the handbook mention this? |
26 |
|
27 |
> |
28 |
> |
29 |
> We could have similar .pkla files also for other stuff like bluetooth, |
30 |
> networkmanager, shutdown/reboot, suspend and hibernate (upower), and the |
31 |
> list continues. |
32 |
> |
33 |
> The benefits are somewhat clear, things would work out of box for remote |
34 |
> users beloging to right group, PAM-less users, as well as minor arches. |
35 |
> |
36 |
> The downside of this is that most users would propably end up using this |
37 |
> as workaround for inactive ConsoleKit sessions that should really be |
38 |
> local, but the user is just failing to configure his system in proper |
39 |
> state to gain it (launching the X wrong way, wrong kernel opts, ...) |
40 |
|
41 |
As long as this is documented somewhere, I don't think users should |
42 |
have to screw with anything too much to get this stuff working. God |
43 |
knows I don't want to. |
44 |
|
45 |
> |
46 |
> And if we want this, should we stick to generalized plugdev group? |
47 |
> |
48 |
> Or perhaps group wheel for shutdown/reboot. Group storage for udisks. |
49 |
> Group power for upower (hibernate, suspend). Group bluetooth for bluez. |
50 |
> Group network for networkmanager? (Just throwing ideas...) |
51 |
> |
52 |
> So... any comments before I just pick what I think is best and commit |
53 |
> the .pkla files (or not). I'm really 50-50 on this... |
54 |
> |
55 |
> Would like to get this decided before p.masking HAL. |
56 |
> |
57 |
> |