PolicyKit changes
David Zeuthen
david at fubar.dk
Mon Mar 13 23:10:39 PST 2006
Hi,
I just committed a lot of code to PolicyKit
- Implement a system-wide daemon, polkitd
- Change suffix from .policy to .privilege and use the directory
/etc/PolicyKit/privilege.d instead of /etc/PolicyKit/policy
- Move all queries by libpolkit to ask polkitd instead of looking in
configuration files
- Need this because we may not want to expose to any user what
privileges other users have
- New tool polkit-list-privileges; lists what privileges a user has
- example:
$ polkit-list-privileges
privilege hal-power-suspend
privilege hal-storage-removable-mount-change-uid
privilege hal-power-reboot
resource xserver://:0.0 privilege desktop-console
privilege hal-power-poweroff
privilege hal-power-hibernate
privilege hal-storage-removable-mount
resource
hal:///org/freedesktop/Hal/devices/volume_uuid_1234_5678
privilege hal-storage-fixed-mount
- New tool polkit-grant-privilege that speaks to polkitd and does
PAM over D-BUS to authenticate the user
- example:
$ polkit-grant-privilege -p hal-storage-fixed-mount \
-r hal:///org/freedesktop/Hal/devices/volume_uuid_1234_5678
Authentication needed for user 'root' in order to grant the
privilege 'hal-storage-fixed-mount' to user 'davidz' for the
resource 'hal:///org/freedesktop/Hal/devices/volume_uuid_1234_5678'.
The privilege is configured to use PAM service 'policy-kit'.
Password:
Authentication succeeded.
(yes, this works with pam_rps and stacked stuff too!)
- polkit-is-privileged now takes an optional PID parameter since one
can confine a granted privilege to a specific PID
I've also updated HAL CVS HEAD to use PolicyKit CVS HEAD; you need to
build, install and run polkitd. Still need to fix HAL to export the PID
of the sender to methods though.
There are some OS/distro specific bits, of course, initscript and what
pam file to include by default (e.g. on Fedora we include system-auth, I
believe this is common-* on SUSE). Vendors, please send patches!
If you can't get this to work by building from CVS feel free to ask on
the list!
Next steps
1. Write up a nice spec about how all this works since it can be
a bit confusing
2. Refine the .privilege file format so e.g. user 'foo' is always
allowed to grant privilege 'bar' to other users. Also other stuff.
3. Make polkitd emit signals on an interface such that privileged apps
can be notified when privileges are granted and revoked. Also export
other useful query operations.
4. make polkit-grant-privilege capable of granting privs permanently
5. write polkit-revoke-privilege
6. make polkit-list-privileges and polkit-is-privileged display if a
privilege is granted permanently or temporary. Also display if it's
confined to a certain PID.
7. Factor out auth code in polkit-is-privileged into a GObject and put
it in a libpolkit-gobject library (since the interaction is pretty
hairy (see interaction diagram in polkitd/polkit-session.c) I will
not put this in libpolkit as I want to use the glib bindings and
these require the glib main loop => not suitable for Qt etc.)
8. write some man pages
9. write libpolkit-gnome that GNOME apps can consume
10. implement D-BUS interfaces suitable for a GUI privilege editor
11. Write more tests; audit code
12. Much more stuff, stay tuned! :-)
Notably implementing 2. and 3. enables us to solve the problem that I
mentioned here http://blog.fubar.dk/?p=63 - the login manager (e.g. gdm)
will simply grant the user the temporary privilege desktop-console on
the resource xserver://:0.0 when a user logs in. Then a privileged
process ServiceKit (!) will listen for this and manage the life cycle of
policy daemons such as g-p-m, nm-applet and so forth.
David
More information about the hal
mailing list