solaris /dev/console patch

David Zeuthen david at fubar.dk
Thu Apr 27 16:07:54 PDT 2006 

On Wed, 2006-04-26 at 22:19 +0100, Robert McQueen wrote:
> It seems to me like we should think about a better way to achieve this
> so that we could support more of these policies in a clean way, rather
> than ending up with either heavy distro or system-specific patching or a
> load of ifdef'd code.

Personally I think the whole way of enforcing policy in the bus daemon
is.. not flawed.. but, then again, not enough since it relies only
"simple properties" such as

 1. uid
 2. gid
 3. whether a user is on a local console or not.
 4. selinux context

but doesn't use any of the rich semantics of the object has. Sure, these
policy items are still very useful for simple stuff, not saying they
should be removed, but... indulge some rambling :-)

For example, in HAL, we export an object for every mountable volume and
disk drives and one thing you want is to allow users on the console (and
only those at the console) to partition/format the disk/volume _only_ if
it stems from removable/hotpluggable media/drives. If it's not
removable/hotpluggable the  thing that should happen is that we ask
(console) users to auth (put in his own or the super user password). Of
course, this all depends on what environment your box is in; home users
should probably be allowed this anyway, enterprise desktops maybe not
and so on.

The way I want to address this is through PolicyKit

 http://webcvs.freedesktop.org/*checkout*/hal/PolicyKit/doc/spec/polkit-spec.html
 (for the overall spec; work in progress)

 http://lists.freedesktop.org/archives/hal/2006-January/004377.html
 (explaining the motivation for what became PolicyKit)

Specifically I want to patch the login managers (gdm, kdm, whatever) to
grant the user the privilege 'local-desktop-console' when they log in
and revoke it when the session ends. 

All the interesting privileges [1] will then simply require this
privilege, 'local-desktop-console', and it will be equivalent to
at_console. Specifically, admins will be able to grant/revoke individual
users certain privileges (on certain resources) on a case-by-case basis
even on the fly.

Thus I envision that HAL wont use at_console at all when PolicyKit is
baked. The good news is that I plan to release a working version of
PolicyKit very soon (maybe even this weekend). I expect to be at 1.0 at
some point within six months but you guys all know open source :-)

With time I want to extend the bus policy configuration so the bus will
simply ask the policy kit daemon whether the user is privileged. Thus I
would be able to write

  <policy polkit="local-desktop-console">
    <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/>
    <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"/>
    <allow send_interface="org.freedesktop.Hal.Device.Volume"/>
    <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>
  </policy>

to block most of the requests at the bus-level. What do people think of
that? Would a patch like that be accepted?

    David

[1] : for mounting, formatting disks; putting the system to sleep,
changing network configuration, punching holes in firewalls for desktop
files sharing, changing timezones etc etc

More information about the dbus mailing list