[Pkg-utopia-maintainers] how to override polkit defaults?
Christoph Anton Mitterer
calestyo at scientia.net
Sun Apr 1 03:32:55 UTC 2018
On Fri, 2018-03-30 at 10:45 +0200, Michael Biebl wrote:
> No current plans to upload the JavaScript/mozjs based version to
> unstable.
Okay, so 1.05 is basically to stay in Debian.
> > And how should one write/override rules for polkit in Debian?
> You might have a look at
> https://packages.ubuntu.com/search?keywords=policykit-desktop-privile
> ges
AFAIU, this is basically what's described in pklocalauthority(8),
right?
E.g. I could do something like
[Foo bar baz]
Identity=unix-user:*
Action=org.freedesktop.udisks2.*
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_admin
but then I'll really force every user (including root) to that. I
assume there's no way to keep things for root as they are (i.e. root
not needing to enter the password).
Would be nice if there was something like:
Identity=!unix-user:0
so that I force only non-root users to enter the password.
I've noted the following possibly unclear things in
pklocalauthority(8):
a) In "ADMINISTRATOR AUTHENTICATION" it says "later files can override
earlier ones", so 60-*.conf could be used to override 50-
localauthority.conf. But it seems that there is rather some merging
going on, e.g. Debian has:
/etc/polkit-1/localauthority.conf.d/50-localauthority.conf
/etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf
And the AdminIdentities= of the later is apparently rather added to
that of the former.
Maybe the overriding happens just at unix-user: and unix-group: level.
b) The description of Identity doesn't really tell whether multiple
identities are ORed or ANDed.
c) There is no real description which globs are actually supported...
probably just "*" but there are globbing syntaxes which offer "!" and
similar.
All not really an issue for me, just in case someone would want to
clarify up the documentation :)
But for the following it would be helpful if someone could explain how
it works:
d) I could nowhere find anything (neither for the .policy files) what
happens if ResultAny AND ResultInactive or ResultActive are given...
i.e. who wins if ResultAny says No, but ResultActive says Yes when the
session is Active?
The manpages do also not really explain what's all active/inactive...
some websites seem to think Any is just the default if neither
Inactive/Active are given... some imply that it's more when a session
is neither active nor inactive, i.e. like anonymous access.
e)There's /usr/share/polkit-1/rules.d/ and /etc/polkit-1/rules.d/ and a
number of packages place .rules files (at least in the former).
I assume these are for the post-105 versions and are completely ignored
in Debian?
That was a bit confusing, so perhaps one could add a README to these
dirs explaining that :)
Thanks for your help :)
Chris.
More information about the Pkg-utopia-maintainers
mailing list