david at fubar.dk
Mon Mar 13 23:10:39 PST 2006
I just committed a lot of code to PolicyKit
- Implement a system-wide daemon, polkitd
- Change suffix from .policy to .privilege and use the directory
/etc/PolicyKit/privilege.d instead of /etc/PolicyKit/policy
- Move all queries by libpolkit to ask polkitd instead of looking in
- Need this because we may not want to expose to any user what
privileges other users have
- New tool polkit-list-privileges; lists what privileges a user has
resource xserver://:0.0 privilege desktop-console
- New tool polkit-grant-privilege that speaks to polkitd and does
PAM over D-BUS to authenticate the user
$ polkit-grant-privilege -p hal-storage-fixed-mount \
Authentication needed for user 'root' in order to grant the
privilege 'hal-storage-fixed-mount' to user 'davidz' for the
The privilege is configured to use PAM service 'policy-kit'.
(yes, this works with pam_rps and stacked stuff too!)
- polkit-is-privileged now takes an optional PID parameter since one
can confine a granted privilege to a specific PID
I've also updated HAL CVS HEAD to use PolicyKit CVS HEAD; you need to
build, install and run polkitd. Still need to fix HAL to export the PID
of the sender to methods though.
There are some OS/distro specific bits, of course, initscript and what
pam file to include by default (e.g. on Fedora we include system-auth, I
believe this is common-* on SUSE). Vendors, please send patches!
If you can't get this to work by building from CVS feel free to ask on
1. Write up a nice spec about how all this works since it can be
a bit confusing
2. Refine the .privilege file format so e.g. user 'foo' is always
allowed to grant privilege 'bar' to other users. Also other stuff.
3. Make polkitd emit signals on an interface such that privileged apps
can be notified when privileges are granted and revoked. Also export
other useful query operations.
4. make polkit-grant-privilege capable of granting privs permanently
5. write polkit-revoke-privilege
6. make polkit-list-privileges and polkit-is-privileged display if a
privilege is granted permanently or temporary. Also display if it's
confined to a certain PID.
7. Factor out auth code in polkit-is-privileged into a GObject and put
it in a libpolkit-gobject library (since the interaction is pretty
hairy (see interaction diagram in polkitd/polkit-session.c) I will
not put this in libpolkit as I want to use the glib bindings and
these require the glib main loop => not suitable for Qt etc.)
8. write some man pages
9. write libpolkit-gnome that GNOME apps can consume
10. implement D-BUS interfaces suitable for a GUI privilege editor
11. Write more tests; audit code
12. Much more stuff, stay tuned! :-)
Notably implementing 2. and 3. enables us to solve the problem that I
mentioned here http://blog.fubar.dk/?p=63 - the login manager (e.g. gdm)
will simply grant the user the temporary privilege desktop-console on
the resource xserver://:0.0 when a user logs in. Then a privileged
process ServiceKit (!) will listen for this and manage the life cycle of
policy daemons such as g-p-m, nm-applet and so forth.
More information about the hal