[Pkg-utopia-maintainers] how to override polkit defaults?
Christoph Anton Mitterer
calestyo at scientia.net
Sun Apr 1 03:32:59 UTC 2018
Hey Micahel.
Thanks for giving a help :-)
On Fri, 2018-03-30 at 10:50 +0200, Michael Biebl wrote:
> Fwiw, I don't agree here. A computer should be usable by default.
> We have a conservative, but usable default policy in Debian, imho.
> If a computer is not usable, users will start to employ hacks and
> workarounds, which would be worse.
Well I guess the difficulty here is to determine what's a common kind
of computer that people can/should expect, and what's
conservative/usable for that.
Debian, runs probably on everything,... from the super-computer, over
classic servers, the true multi-user-desktop/terminal, the typical
single-user-desktop to embedded devices, right?!
I'd guess that all bug the single-user-desktop might have quite easily
an issue with such a policy as it is right now (especially also the
embedded system).
OTOH, for the single-user-desktop, you're of course absolutely
right,... there it wouldn't make much sense to require people to enter
roots passwords to e.g. the USB stick they plug-in, since they have
anyway full control over it.
polkit doesn't seem to be for desktops only and nothing in udisks
really says "beware: our defaults are rather suited for single-user-
desktops"
btw: I've noticed that even udisks itself doesn't seem to have a clear
understanding of what's a system disk or not:
- A plain partition/fs on a "removable device" (well all devices are
removable, so let's call it: "connected via USB") will be considered
non-system, and users can modify it.
- A fs below dm-crypt on the same USB-connected device (just on another
partition) seemed to be not-considered a system disk.
Just discovered this by accident and maybe I did something wrong,.. and
since I'm already in my Easter holidays I cannot check it properly
right now.
Have you guys considered to simply ship multiple policies and give the
user e.g. a debconf choice on to which is installed?
There could be a simple choice between "desktop", "server", "secure"
(with perhaps some better naming for the later, as it shouldn't imply
the others are less secure).
Alternatively, the policy could be split into it's own package, and
udisks depend on either of several.
In both cases, the default could be kept to match the current
behaviour.
> For a specialized lab setup you are indeed encouraged to setup you
> own
> policies and lock down stuff further.
That's basically my plan :-)
Happy Easter,
Chris.
More information about the Pkg-utopia-maintainers
mailing list