PolicyKit: Branch 'master' - 2 commits
Miloslav Trmac
mitr at kemper.freedesktop.org
Mon May 6 10:52:48 PDT 2013
docs/man/polkit.xml | 10 ++--
docs/polkit/overview.xml | 24 +++++++++-
src/examples/org.freedesktop.policykit.examples.pkexec.policy.in | 2
3 files changed, 30 insertions(+), 6 deletions(-)
New commits:
commit 6859857757d7f4b8908970f12a12eee891d87dda
Author: Miloslav TrmaÄ <mitr at redhat.com>
Date: Thu Apr 18 21:14:08 2013 +0200
More warnings about using auth_self*
Suggested by Colin Walters.
https://bugs.freedesktop.org/show_bug.cgi?id=57284
diff --git a/docs/man/polkit.xml b/docs/man/polkit.xml
index f8b4849..d30ee52 100644
--- a/docs/man/polkit.xml
+++ b/docs/man/polkit.xml
@@ -356,7 +356,9 @@ System Context | |
<term><literal>auth_self</literal></term>
<listitem><para>Authentication by the owner of the
session that the client originates from is
- required.</para></listitem>
+ required. Note that this is not restrictive enough for most
+ uses on multi-user systems; <literal>auth_admin</literal>* is
+ generally recommended.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>auth_admin</literal></term>
@@ -367,7 +369,9 @@ System Context | |
<term><literal>auth_self_keep</literal></term>
<listitem><para>Like <literal>auth_self</literal> but
the authorization is kept for a brief
- period (e.g. five minutes).</para></listitem>
+ period (e.g. five minutes). The warning about
+ <literal>auth_self</literal> above applies
+ likewise.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>auth_admin_keep</literal></term>
diff --git a/docs/polkit/overview.xml b/docs/polkit/overview.xml
index fb14e50..150a7bc 100644
--- a/docs/polkit/overview.xml
+++ b/docs/polkit/overview.xml
@@ -74,6 +74,24 @@
<listitem>
<para>
+ <emphasis role='bold'>DO</emphasis> consider the impact of the
+ chosen implicit authorizations on multi-user systems. Generally,
+ ordinary users should be able to neither modify important system's
+ behavior for other users, nor view other users' private data. If
+ your application needs an authorization framework at all, it is
+ fairly likely that the default configuration should deny
+ authorization in at least some cases. Default to using
+ <literal>auth_admin</literal>* instead of
+ <literal>auth_self</literal>*. (On single-user desktops, the
+ single user is typically configured as a polkit administrator, so
+ the two variants behave equally. On multi-user systems,
+ non-administrator users will be restricted by the default
+ configuration.)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
<emphasis role='bold'>DO</emphasis> pass polkit variables
along with <link
linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.CheckAuthorization">CheckAuthorization()</link>
@@ -261,8 +279,10 @@
that can be used together with
<ulink url="http://developer.gnome.org/gtk3/unstable/GtkLockButton.html"><type>GtkLockButton</type></ulink>.
Note that for <type>GtkLockButton</type> to work well, the
- polkit action backing it should use <literal>auth_admin_keep</literal> or
- <literal>auth_self_keep</literal> for its implicit authorizations.
+ polkit action backing it should use <literal>auth_admin_keep</literal>
+ for its implicit authorizations (or more rarely
+ <literal>auth_self_keep</literal> for services which don't affect other
+ users).
This is often used to implement an <ulink
url="http://developer.gnome.org/hig-book/3.2/hig-book.html#windows-instant-apply">instant
apply</ulink> paradigm whereby the user
commit 31b138d17f259f2d06a86dbbd31202ef43dbfa41
Author: Miloslav TrmaÄ <mitr at redhat.com>
Date: Thu Feb 14 14:48:20 2013 +0100
Use auth_admin* instead of auth_self* in examples
From time to time, application developers just copy example
configuration without examining it in details. Because polkit is
typically used to control access to system-level operations, the policy
(and therefore the examples) should limit access to system
administrators only.
diff --git a/docs/man/polkit.xml b/docs/man/polkit.xml
index aaac4f4..f8b4849 100644
--- a/docs/man/polkit.xml
+++ b/docs/man/polkit.xml
@@ -913,7 +913,7 @@ polkit.addRule(function(action, subject) {
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.policykit.exec" &&
action.lookup("program") == "/usr/bin/cat") {
- return polkit.Result.AUTH_SELF;
+ return polkit.Result.AUTH_ADMIN;
}
});
]]></programlisting>
diff --git a/docs/polkit/overview.xml b/docs/polkit/overview.xml
index 8d22570..fb14e50 100644
--- a/docs/polkit/overview.xml
+++ b/docs/polkit/overview.xml
@@ -261,8 +261,8 @@
that can be used together with
<ulink url="http://developer.gnome.org/gtk3/unstable/GtkLockButton.html"><type>GtkLockButton</type></ulink>.
Note that for <type>GtkLockButton</type> to work well, the
- polkit action backing it should use <literal>auth_self_keep</literal> or
- <literal>auth_admin_keep</literal> for its implicit authorizations.
+ polkit action backing it should use <literal>auth_admin_keep</literal> or
+ <literal>auth_self_keep</literal> for its implicit authorizations.
This is often used to implement an <ulink
url="http://developer.gnome.org/hig-book/3.2/hig-book.html#windows-instant-apply">instant
apply</ulink> paradigm whereby the user
diff --git a/src/examples/org.freedesktop.policykit.examples.pkexec.policy.in b/src/examples/org.freedesktop.policykit.examples.pkexec.policy.in
index 049c024..eab7729 100644
--- a/src/examples/org.freedesktop.policykit.examples.pkexec.policy.in
+++ b/src/examples/org.freedesktop.policykit.examples.pkexec.policy.in
@@ -13,7 +13,7 @@
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
- <allow_active>auth_self_keep</allow_active>
+ <allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/pk-example-frobnicate</annotate>
</action>
More information about the hal-commit
mailing list