[PATCH] Allow hibernate, suspend and CPUFreq for root independently from desktop-console

Holger Macht hmacht at suse.de
Wed Mar 7 12:30:05 PST 2007 

This changes the logic how privileges for hibernate, suspend and cpufreq
are determined. With the current situation, the application/script
checking if the caller is allowed to do something, has to explicitly grant
access for the root user with checking for uid == 0. The new method
exclusively grants access for the root user, but specifies that others can
possess the privilege as soon as they possess the desktop-console
privilege. This way, the lower lever application/script does not have to
handle any special case, it just has to check if the caller (whether root
or not) possesses the specific privilege.

I hope that I was able to make this clear. It is a little bit tricky to
explain and to understand ;-)

I have this patch already sometime in the openSUSE hal package and I think
it is correct, or at least more simple to handle. I just somehow forgot to
bring it up earlier. Comments?  Maybe this also makes sense for some of
the other privileges before 0.5.9?

Signed-off-by: Holger Macht <hmacht at suse.de>
---

diff --git a/privileges/hal-power-cpufreq.privilege b/privileges/hal-power-cpufreq.privilege
index cee08b4..49df022 100644
--- a/privileges/hal-power-cpufreq.privilege
+++ b/privileges/hal-power-cpufreq.privilege
@@ -3,9 +3,9 @@ # This privilege specifies who is allowe
 # via the org.freedesktop.Hal.Device.CPUFreq interface
 
 [Privilege]
-RequiredPrivileges=desktop-console
-SufficientPrivileges=
-Allow=uid:__all__
+RequiredPrivileges=
+SufficientPrivileges=desktop-console
+Allow=uid:root
 Deny=
 CanObtain=True
 CanGrant=True
diff --git a/privileges/hal-power-hibernate.privilege b/privileges/hal-power-hibernate.privilege
index d93c4bd..0fd5037 100644
--- a/privileges/hal-power-hibernate.privilege
+++ b/privileges/hal-power-hibernate.privilege
@@ -2,9 +2,9 @@
 # This privilege specifies who is allowed to hibernate the system.
 
 [Privilege]
-RequiredPrivileges=desktop-console
-SufficientPrivileges=
-Allow=uid:__all__
+RequiredPrivileges=
+SufficientPrivileges=desktop-console
+Allow=uid:root
 Deny=
 CanObtain=True
 CanGrant=True
diff --git a/privileges/hal-power-suspend.privilege b/privileges/hal-power-suspend.privilege
index fb20576..2f39d07 100644
--- a/privileges/hal-power-suspend.privilege
+++ b/privileges/hal-power-suspend.privilege
@@ -2,9 +2,9 @@
 # This privilege specifies who is allowed to suspend the system.
 
 [Privilege]
-RequiredPrivileges=desktop-console
-SufficientPrivileges=
-Allow=uid:__all__
+RequiredPrivileges=
+SufficientPrivileges=desktop-console
+Allow=uid:root
 Deny=
 CanObtain=True
 CanGrant=True

More information about the hal mailing list