[Pkg-utopia-maintainers] Bug#526854: hal: HAL should not require PolicyKit

[Fredrik Tolf]

On Mon, 2009-05-04 at 23:57 +0200, Martin Pitt wrote:
> Fredrik Tolf [2009-05-04 21:37 +0000]:
> > Just in case I wasn't clear enough, my argument is this: Without
> > PolicyKit, I had to take explicit action in order to grant privileges to
> > users, while with PolicyKit, I have to take explicit action in order to
> > *not* grant privileges to users.
> 
> That's not an inherent property of PK vs. groups, but a matter of
> default configuration. E. g. the installer used to put the default
> user into plugdev, powerdev, etc., and users-admin (from
> gnome-system-tools) did similar things for a "desktop user".

Both of those are special cases explicitly designed for usability with
weaker security, though. I use neither.

> The job of us as a distro is to provide a sensible default
> configuration which provides a good balance between security and
> usability.

Arguably so, but how do you define what is sensible? In my mind,
PolicyKit's defaults seem sensible only for desktop setups, which aren't
the only places in which HAL is being used. I've used it both in
workstation-class setups and "embedded" special purpose setups (such as
a music player computer, where I used it to detect USB storage with
media files on), where it cannot reasonably be argued that local users
should be granted all those privileges by default. I don't think that it
should be assumed that all Debian machines are desktop machines. That's
what Ubuntu is for, if you ask me.

And apart from that, it would be nice to at least be *able* to create
unprivileged users, which you cannot do with PK's defaults.

For that matter, it is unclear what PK means by "auth_admin", and I have
yet found no documentation to explain it.

Also, it is very unclear what one should do to avoid these "sensible
defaults", and if they cannot be avoided, then they aren't just
"defaults".

> For example, it doesn't make much sense to deny access to
> an USB camera or scanner to an user at a local console; he has
> physical access to those devices, after all.

Quite possibly so, but I would expect to be able to leave a USB
thumbdrive in the computer and not risk it being written to by any local
user who you haven't given any particular privilege to otherwise read it
(unlike e.g. pmount, which requires users to be part of the plugdev
group). Of course he'd be able to steal it and plug it into some other
computer if he has local access, but at least that would be noticed.

> Thus I am very much against making PK optional. It will only aggravate
> the confusion, since there will be systems which use PK and some which
> don't.

Well, yeah, there will. I must admit that I don't see the problem with
that. There are systems which use NIS, and other which don't.

> History showed that device access privileges can't be sensibly
> mapped to and maintained with static group membership, so we should
> settle to _one_ system of verifying privileges, also to be compatible
> with the rest of the world.

Maybe, maybe not. I, for one, never had any problems with the static
group membership solution, so I can't really say that "history has
showed that it cannot be done"... Furthermore, it is precisely *because*
there should be exactly one system of verifying privileges that I oppose
PK, because POSIX already defines that system. With PK there are two
systems, and even worse, any given user gets the union, not the
intersection, of the privileges granted by each. If it were the
intersection, I wouldn't object. This way, as I've said, users are
getting granted privileges without me even knowing it.

How about creating a special group for all users that can have
privileges granted by PK?

As for being compatible with the rest of the world, I resent that
statement. There are different distros because not everyone wants to use
the exact same thing.

> To be fair, I had very similar feelings like you when I heared about
> PK the first time, since it seemed to be that ominous new thing which
> opened root holes in the background. :-)

I don't mean to sound offensive, but why did you change your mind?
Surely it wasn't just to be like everyone else?

> Just my € 0.02,

Since I resent the usage of fiat currency, please accept my 1 mg of gold
in return. :)

Fredrik Tolf