PolicyKit changes

David Zeuthen david at fubar.dk
Mon Mar 13 23:10:39 PST 2006


I just committed a lot of code to PolicyKit

 - Implement a system-wide daemon, polkitd

 - Change suffix from .policy to .privilege and use the directory  
   /etc/PolicyKit/privilege.d instead of /etc/PolicyKit/policy

 - Move all queries by libpolkit to ask polkitd instead of looking in
   configuration files
   - Need this because we may not want to expose to any user what
     privileges other users have

 - New tool polkit-list-privileges; lists what privileges a user has
   - example: 
                $ polkit-list-privileges
                privilege hal-power-suspend
                privilege hal-storage-removable-mount-change-uid
                privilege hal-power-reboot
                resource xserver://:0.0 privilege desktop-console
                privilege hal-power-poweroff
                privilege hal-power-hibernate
                privilege hal-storage-removable-mount
                privilege hal-storage-fixed-mount
 - New tool polkit-grant-privilege that speaks to polkitd and does
   PAM over D-BUS to authenticate the user
   - example:
                $ polkit-grant-privilege -p hal-storage-fixed-mount \
                  -r hal:///org/freedesktop/Hal/devices/volume_uuid_1234_5678
                Authentication needed for user 'root' in order to grant the
                privilege 'hal-storage-fixed-mount' to user 'davidz' for the
                resource 'hal:///org/freedesktop/Hal/devices/volume_uuid_1234_5678'.
                The privilege is configured to use PAM service 'policy-kit'.
                Authentication succeeded.
   (yes, this works with pam_rps and stacked stuff too!)

 - polkit-is-privileged now takes an optional PID parameter since one
   can confine a granted privilege to a specific PID

I've also updated HAL CVS HEAD to use PolicyKit CVS HEAD; you need to
build, install and run polkitd. Still need to fix HAL to export the PID
of the sender to methods though.

There are some OS/distro specific bits, of course, initscript and what
pam file to include by default (e.g. on Fedora we include system-auth, I
believe this is common-* on SUSE). Vendors, please send patches!

If you can't get this to work by building from CVS feel free to ask on
the list!

Next steps

 1. Write up a nice spec about how all this works since it can be
    a bit confusing

 2. Refine the .privilege file format so e.g. user 'foo' is always
    allowed to grant privilege 'bar' to other users. Also other stuff.

 3. Make polkitd emit signals on an interface such that privileged apps
    can be notified when privileges are granted and revoked. Also export
    other useful query operations.

 4. make polkit-grant-privilege capable of granting privs permanently

 5. write polkit-revoke-privilege

 6. make polkit-list-privileges and polkit-is-privileged display if a
    privilege is granted permanently or temporary. Also display if it's
    confined to a certain PID.

 7. Factor out auth code in polkit-is-privileged into a GObject and put
    it in a libpolkit-gobject library (since the interaction is pretty
    hairy (see interaction diagram in polkitd/polkit-session.c) I will
    not put this in libpolkit as I want to use the glib bindings and
    these require the glib main loop => not suitable for Qt etc.)

 8. write some man pages

 9. write libpolkit-gnome that GNOME apps can consume

10. implement D-BUS interfaces suitable for a GUI privilege editor

11. Write more tests; audit code

12. Much more stuff, stay tuned! :-)

Notably implementing 2. and 3. enables us to solve the problem that I
mentioned here http://blog.fubar.dk/?p=63 - the login manager (e.g. gdm)
will simply grant the user the temporary privilege desktop-console on
the resource xserver://:0.0 when a user logs in. Then a privileged
process ServiceKit (!) will listen for this and manage the life cycle of
policy daemons such as g-p-m, nm-applet and so forth.


More information about the hal mailing list