libhal-policy -> PolicyKit
ludwig.nussel at suse.de
Wed Mar 8 02:46:04 PST 2006
On Wednesday 08 March 2006 10:19, David Zeuthen wrote:
> It's a bit convoluted, but this is the idea. Assume we have a method
> Format() on hal - the PolicyKit configuration for the privilege "format
> a drive" is
> Allow=uid:0 uid:polkit
> which means that only uid 0 and the polkit user can invoke it. Everyone
> else get PermissionDeniedByPolicy. This is no big deal as the user
> 'polkit' is a system user and has the shell /sbin/nologin.
> Now assume I'm logged in as uid 500 and gnome-format (doesn't exist yet)
> invokes Format() - we get the PermissionDeniedByPolicy exception because
> we are uid 500. Now gnome-format puts up a dialog asking for the root
> password. Once that it obtained it invokes 'polkit-su -c
> "gnome-format-su-helper -a <someArg> ..."' and writes the root password
> on stdin or maybe on fd 3. We will have to define a sane protocol, since
> it is likely we want to pass data to gnome-format-su-helper on stdin
> too. This is all doable though it's probably hairy.
> Now polkit-su checks the password (via PAM or /etc/shadow) and if it's
> correct it becomes user 'polkit' and exec gnome-format-su-helper. The
> gnome-format-su-helper now runs as uid 'polkit' and invokes Format() on
> HAL. This succeeds because of the policy above.
Let me modify the script.
I'm logged in as uid 500 and gnome-format invokes Format() - we get
the PermissionDeniedByPolicy exception because we are uid 500. The
exception contains the information that
'storage-format-removable-drives' permission is needed. Now
gnome-format talks to an authentication agent asking for
'storage-format-removable-drives' permissions. The agent puts up a
dialog asking for the root password. After successful
conversation gnome-format calls Format() again and succeeds.
The mysterious authentication agent could in fact be a library or
program talking to some daemon or setuid program like polkit-su. The
difference is that the agent doesn't exec any helper that talks to
hald on behalf of the user. It just modifies the policy. For
granting one-time permissions some kind of cookie could be used.
Therefore you don't need to develop an additional protocol for
talking to gnome-format-su-helper as gnome-format-su-helper isn't
1) if PAM is involved it may request other credentials so a model that is
restricted to 'pass password via fd' is insufficient.
(o_ Ludwig Nussel
//\ SUSE LINUX Products GmbH, Development
More information about the hal