policy library landed...
David Zeuthen
david at fubar.dk
Sun Feb 26 16:14:15 PST 2006
Hey,
So, I rambled sometime ago about that we need to streamline what a user
is allowed to do what and so forth, see
http://lists.freedesktop.org/archives/hal/2006-January/004377.html
I've now checked in the first part of this work; there's a library
libhal-policy with a pretty simple interface
http://webcvs.freedesktop.org/hal/hal/libhal-policy/libhal-policy.h?view=markup
that is extensible insofar that we can add more than just uid and gid to
match on. Things like SELinux security context etc. etc. comes to mind.
Maybe we should also add some checks on whether the user is at the
console; I dunno really.. in Fedora at least we won't let users not at
the console near.. anyho, it's extensible.. we can add this later :-)
As it is important that this library is flawless I've checked in a test
suite that is executed on 'make check' [1]... I'd appreciate if someone
can take a look at both the code and how comprehensive the test suite
is.. it should be pretty bullet proof, but, eh, I wrote almost all of
the code yesterday.. so there may be bugs.. please review.. Thanks..
Also, I've added a simple command line interface to this library,
hal-policy-is-privileged, that is to be used from scripts.. e.g. from
hal-system-power-hibernate one would simply do
hal-policy-is-privileged --uid $HAL_METHOD_INVOKED_BY_UID \
--policy power-hibernate
IS_PRIVILEGED=$?
if [ "$IS_PRIVILEGED" != "0" ] ; then
<bail out and throw PermissionDenied or something>
fi
or something.
Finally, I've added configuration files for the following policies.. It
is easiest described by the snippet in [2]. Does this look about right?
I think so...
Now to patch our shell scripts to use this and then to write missing
pieces of libhal-policy and UI bits as described in the link above :-)
Comments welcome.
David
[1] : I've also disabled the hald test suite for now as it is currently
broken :-/
[2] :
[davidz at daxter ~]$ for i in /etc/hal/policy/*.policy ; do echo policy
$i\:; cat $i; echo ===EOF===; done
policy /etc/hal/policy/power-hibernate.policy:
# who is allowed to suspend the machine to disk
[Policy]
Allow=uid:__all__
Deny=
===EOF===
policy /etc/hal/policy/power-poweroff.policy:
# who is allowed to power off the machine
[Policy]
Allow=uid:__all__
Deny=
===EOF===
policy /etc/hal/policy/power-reboot.policy:
# who is allowed to reboot the machine
[Policy]
Allow=uid:__all__
Deny=
===EOF===
policy /etc/hal/policy/power-suspend.policy:
# who is allowed to suspend the machine to RAM
[Policy]
Allow=uid:__all__
Deny=
===EOF===
policy /etc/hal/policy/storage-fixed-mount-change-uid.policy:
# who is allowed to mount volumes from fixed drives and claim file
ownership
[Policy]
Allow=
Deny=
===EOF===
policy /etc/hal/policy/storage-fixed-mount.policy:
# who is allowed to mount volumes from fixed drives
[Policy]
Allow=
Deny=
===EOF===
policy /etc/hal/policy/storage-removable-mount-change-uid.policy:
# who is allowed to mount volumes from removable drives and claim file
ownership
[Policy]
Allow=uid:__all__
Deny=
===EOF===
policy /etc/hal/policy/storage-removable-mount.policy:
# who is allowed to mount volumes from fixed drives
[Policy]
Allow=uid:__all__
Deny=
===EOF===
More information about the hal
mailing list