PolicyKit/doc/spec polkit-spec.html, 1.1, 1.2 polkit-spec.xml.in,
1.1, 1.2
David Zeuthen
david at kemper.freedesktop.org
Wed Mar 29 08:15:30 PST 2006
- Previous message: PolicyKit/doc/spec Makefile.am, NONE, 1.1 polkit-arch.dia, NONE,
1.1 polkit-arch.png, NONE, 1.1 polkit-spec.html, NONE,
1.1 polkit-spec.xml.in, NONE, 1.1
- Next message: PolicyKit/polkitd polkit-session.c,1.3,1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Update of /cvs/hal/PolicyKit/doc/spec
In directory kemper:/tmp/cvs-serv23719/doc/spec
Modified Files:
polkit-spec.html polkit-spec.xml.in
Log Message:
2006-03-29 David Zeuthen <davidz at redhat.com>
* configure.in: Add docbook detection
* doc/spec/*: New files
* polkitd/polkit-session.c (polkit_session_finalize): Free the
questions to prevent memory leak
Index: polkit-spec.html
===================================================================
RCS file: /cvs/hal/PolicyKit/doc/spec/polkit-spec.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- polkit-spec.html 29 Mar 2006 02:18:56 -0000 1.1
+++ polkit-spec.html 29 Mar 2006 16:15:28 -0000 1.2
@@ -76,8 +76,8 @@
></DD
><DT
><A
-HREF="#privileges"
->Theory of operation</A
+HREF="#operation"
+>Theory of Operation</A
></DT
><DD
><DL
@@ -98,6 +98,59 @@
></DT
></DL
></DD
+><DT
+><A
+HREF="#resources"
+>Resources</A
+></DT
+><DT
+><A
+HREF="#privileges"
+>Privileges</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN87"
+>Privilege Descriptors</A
+></DT
+><DT
+><A
+HREF="#AEN101"
+>File Format</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN106"
+>Criteria for Possesing a Privilege</A
+></DT
+><DT
+><A
+HREF="#AEN109"
+>Required Privileges</A
+></DT
+><DT
+><A
+HREF="#AEN112"
+>Obtaining Privileges</A
+></DT
+><DT
+><A
+HREF="#AEN115"
+>Granting Privileges</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="#AEN118"
+>Privileges defined by PolicyKit</A
+></DT
+></DL
+></DD
></DL
></DIV
><DIV
@@ -126,9 +179,9 @@
CLASS="chapter"
><HR><H1
><A
-NAME="privileges"
+NAME="operation"
></A
->Theory of operation</H1
+>Theory of Operation</H1
><DIV
CLASS="sect1"
><H2
@@ -314,7 +367,13 @@
CLASS="literal"
>PolicyKit</TT
> service to release the
- privilege for the user as it is no longer needed.
+ privilege for the user as it is no longer needed. Should the
+ process crash while holding a privilege,
+ the <TT
+CLASS="literal"
+>PolicyKit</TT
+> service will be notifed and
+ the privilege will automatically be revoked.
</P
><P
> Hence, <TT
@@ -334,6 +393,14 @@
obtaining the privilege may use the obtained privilege.
</P
><P
+> In addition, privileges may be restricted to
+ certain <I
+CLASS="emphasis"
+>resources</I
+>; this is discussed in
+ more detail in XXX.
+ </P
+><P
> <IMG
SRC="polkit-arch.png">
</P
@@ -342,6 +409,204 @@
</P
></DIV
></DIV
+><DIV
+CLASS="chapter"
+><HR><H1
+><A
+NAME="resources"
+></A
+>Resources</H1
+><P
+> PolicyKit allows granting privileges only on
+ certain <I
+CLASS="emphasis"
+>resources</I
+>. For example, for HAL,
+ it is possible to grant the
+ privilege <I
+CLASS="emphasis"
+>hal-storage-fixed-mount</I
+> to the
+ user with uid 500 but only for the HAL device object
+ representing e.g. the <TT
+CLASS="literal"
+>/dev/hda3</TT
+> partition.
+ </P
+><P
+>
+ Resource identifers are prefixed with a name identifying what
+ service they belong to. The following resource identifiers are
+ defined
+ </P
+><P
+></P
+><UL
+><LI
+><P
+> <TT
+CLASS="literal"
+>hal://</TT
+>
+ </P
+><P
+> HAL Unique Device Identifiers also known as HAL UDI's. Example: <TT
+CLASS="literal"
+>hal:///org/freedesktop/Hal/devices/volume_uuid_1a28b356_9955_44f9_b268_6ed6639978f5</TT
+>
+ </P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="chapter"
+><HR><H1
+><A
+NAME="privileges"
+></A
+>Privileges</H1
+><DIV
+CLASS="sect1"
+><H2
+CLASS="sect1"
+><A
+NAME="AEN87"
+>Privilege Descriptors</A
+></H2
+><P
+>
+ Applications, such as HAL, installs <I
+CLASS="emphasis"
+>privilege descriptors</I
+> using the <TT
+CLASS="literal"
+>polkit-policy-descriptor-install</TT
+> commandline utility. The descriptor contains the following information
+ </P
+><P
+></P
+><UL
+><LI
+><P
+> Criteria for determining if a given user possess the privilege on a given resource.
+ </P
+></LI
+><LI
+><P
+> What other privileges a given user must also possess.
+ </P
+></LI
+><LI
+><P
+> Information on whether the user can obtain the privilege, and if he can, whether only temporarily or permanently.
+ </P
+></LI
+><LI
+><P
+> Whether a user with the privilege may permanently grant it to other users.
+ </P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="sect1"
+><HR><H2
+CLASS="sect1"
+><A
+NAME="AEN101"
+>File Format</A
+></H2
+><P
+> A developer of a system-wide application wanting to define a
+ privilege must create a privilege descriptor. This is a a
+ simple <TT
+CLASS="literal"
+>.ini</TT
+>-like config file. Here is what
+ the skeleton looks like:
+ </P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="programlisting"
+> [Policy]
+ Allow=
+ Deny=
+ RequirePrivileges=
+ CanGrantToOthers=
+ CanObtain=
+ ObtainRequireRoot=
+ ObtainPAMService=
+ </PRE
+></TD
+></TR
+></TABLE
+><DIV
+CLASS="sect2"
+><HR><H3
+CLASS="sect2"
+><A
+NAME="AEN106"
+>Criteria for Possesing a Privilege</A
+></H3
+><P
+> bar
+ </P
+></DIV
+><DIV
+CLASS="sect2"
+><HR><H3
+CLASS="sect2"
+><A
+NAME="AEN109"
+>Required Privileges</A
+></H3
+><P
+> bar
+ </P
+></DIV
+><DIV
+CLASS="sect2"
+><HR><H3
+CLASS="sect2"
+><A
+NAME="AEN112"
+>Obtaining Privileges</A
+></H3
+><P
+> bar1
+ </P
+></DIV
+><DIV
+CLASS="sect2"
+><HR><H3
+CLASS="sect2"
+><A
+NAME="AEN115"
+>Granting Privileges</A
+></H3
+><P
+> bar2
+ </P
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><HR><H2
+CLASS="sect1"
+><A
+NAME="AEN118"
+>Privileges defined by PolicyKit</A
+></H2
+><P
+> baz
+ </P
+></DIV
+></DIV
></DIV
></BODY
></HTML
Index: polkit-spec.xml.in
===================================================================
RCS file: /cvs/hal/PolicyKit/doc/spec/polkit-spec.xml.in,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- polkit-spec.xml.in 29 Mar 2006 02:18:56 -0000 1.1
+++ polkit-spec.xml.in 29 Mar 2006 16:15:28 -0000 1.2
@@ -37,7 +37,7 @@
</sect1>
</chapter>
- <chapter id="privileges">
+ <chapter id="operation">
<title>Theory of operation</title>
<sect1>
@@ -143,7 +143,10 @@
privilege (after successful authentication) he can now
invoke <literal>Mount</literal> and after this succeeds he may
tell the <literal>PolicyKit</literal> service to release the
- privilege for the user as it is no longer needed.
+ privilege for the user as it is no longer needed. Should the
+ process crash while holding a privilege,
+ the <literal>PolicyKit</literal> service will be notifed and
+ the privilege will automatically be revoked.
</para>
<para>
@@ -156,6 +159,12 @@
</para>
<para>
+ In addition, privileges may be restricted to
+ certain <emphasis>resources</emphasis>; this is discussed in
+ more detail in XXX.
+ </para>
+
+ <para>
<inlinegraphic fileref="polkit-arch.png" format="PNG"/>
</para>
@@ -165,5 +174,78 @@
</sect1>
</chapter>
+
+
+ <chapter id="resources">
+ <title>Resources</title>
+
+ PolicyKit allows granting privileges only on
+ certain <emphasis>resources</emphasis>. For example, for HAL, it
+ is possible to grant the
+ privilege <emphasis>hal-storage-fixed-mount</emphasis> to the user
+ with uid 500 but only for the HAL device object representing
+ e.g. the <literal>/dev/hda3</literal> partition.
+
+ <sect1>
+ <title>Resource Identifiers</title>
+ <para> Resource identifers are prefixed with a name identifying
+ what service they belong to. The following resource
+ identifiers are defined
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ <literal>hal://</literal>
+ HAL Unique Device Identifiers also known as HAL UID's. Example: <literal>hal:///org/freedesktop/Hal/devices/volume_uuid_1a28b356_9955_44f9_b268_6ed6639978f5</literal>
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ </sect1>
+
+ </chapter>
+
+
+ <chapter id="privileges">
+ <title>Privileges</title>
+
+ <sect1>
+ <title>Privilege Descriptors</title>
+ <para>
+ Applications, such as HAL, installs <emphasis>privilege descriptors</emphasis> using the <literal>polkit-policy-descriptor-install</literal> commandline utility. The descriptor contains the following information
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ What users and groups possess the privilege
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ foo
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ </sect1>
+
+ <sect1>
+ <title>Temporary Privileges</title>
+ <para>
+ bar
+ </para>
+ </sect1>
+
+ <sect1>
+ <title>Privileges defined by PolicyKit</title>
+ <para>
+ baz
+ </para>
+ </sect1>
+
+ </chapter>
</book>
- Previous message: PolicyKit/doc/spec Makefile.am, NONE, 1.1 polkit-arch.dia, NONE,
1.1 polkit-arch.png, NONE, 1.1 polkit-spec.html, NONE,
1.1 polkit-spec.xml.in, NONE, 1.1
- Next message: PolicyKit/polkitd polkit-session.c,1.3,1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the hal-commit
mailing list