PolicyKit plans (Re: volume.ignore vs mount privilege)

Mon Sep 25 10:17:27 PDT 2006

On Mon, 2006-09-25 at 09:53 -0700, Artem Kachitchkine wrote:
> > Right. I'm happy to remove this restriction of HAL's Mount() obeying
> > volume.ignore once PolicyKit 0.3 is out (am working on it atm). Does
> > that sound good?
> 
> Sounds good. BTW, what exactly should we expect in 0.3? I'm a little nervous 
> because we're not using polkitd right now, only libpolkit reimplemented on top 
> of Solaris RBAC (role based access control) and frankly would like to keep it 
> that way. Pointing to an earlier post that I missed would work, too.

I don't plan on breaking the D-Bus API / libpolkit API too much, I think
the model with hald, NetworkManager etc. asking polkitd (via e.g.
libpolkit or whatever) 

 "Is the caller with the system bus connection XYZ privileged to do ABC
  on resource FOO?"

 (with XYZ being e.g. :1.42, ABC being hal-storage-mount-fixed, and
  FOO being e.g. hal:///org/fd/Hal/devices/volume_uuid_1234)

is the way ahead. 

You can still plug in your own back end, which I guess you'll need to at
some point unless you make sure everything (which is only HAL right now)
using PolicyKit is using libpolkit.

I do plan on changing the way the privilege descriptors work so it's
easier to specify a policy

[example: just looking at 

 http://webcvs.freedesktop.org/hal/PolicyKit/doc/spec/polkit-spec.html?revision=1.7#id2992592

is painful. I'm not even sure how it works myself, e.g. it's not clear
in what order the Allow, Deny etc. is processes. That needs to be fixed
so it's easy to understand and possible more flexible. 

One idea I'm toying around with is having the privilege descriptor pass
the location to an executable and make that make the decision. This
needs to be used judiciously though since it will render UI tools for
editing the policy impossible to write. 

Then again, some policy may be very hard to define and require the
Allow, Deny etc. to be insanely complicated, for example thinking about
NetworkManager requirements (what users are allowed to connect to what
wireless networks) led me down this path.]

I'll mail the list about that when I've given it more thought.

For polkit 0.4 I plan to do the bits for making desktop apps gain
privileges through authentication so there will be a few more D-Bus
methods on polkitd itself. This of course won't work without a PolicyKit
daemon but I suppose I can make it optional in the build if you like.
Then I'll do a gnome-mount that uses this.

With these bits, I plan for the default behavior of gnome-mount will be
that it asks you to authenticate when mounting a fixed disk (cf. the
volume.ignore discussion).

For 0.5 I plan to have the bits ready to enable an UI editor for
specifying privileges (not too much I think), e.g. to do crazy talk
things like this

+------------------------------------------------+
|  ( ) No user can mount fixed drives            |
|  ( ) Any user can mount fixed drives           |
|  (*) Restrict mounting of fixed drives to      |
|      the following users and groups:           |
|      +-------------------------------+         |
|      | U davidz                     ^|         |
|      | U dilbert                    ||         |
|      | G admins                     ||         |
|      | G releng                     V|         |
|      +-------------------------------+         |
|       [Delete] [Add Group] [Add User]          |
|                                                |
|  ( ) No one can mount removable drives         |
|  ( ) Any user can mount removable drives       |
|  (*) Restrict mounting of removable drives to  |
|      the following users and groups:           |
|      +-------------------------------+         |
|      | U jane                       ^|         |
|      | U john                       ||         |
|      | G admins                     ||         |
|      | G secretaries                V|         |
|      +-------------------------------+         |
|       [Delete] [Add Group] [Add User]          |
|                                                |
| This policy is overridden for the following    |
| drives and volumes:                            |
|      +-------------------------------+         |
|      | 'Dave's USB key'             ^|         |
|      | 'Financial Data Backup'      ||         |
|      |                              V|         |
|      +-------------------------------+         |
|                 [Delete] [Properties]          |
|                                                |
| [ ] Never ask user for password if not         |
|     privileged to mount a drive                |
|                                                |
|                                        [Close] |
+------------------------------------------------+

that I talked about back in January, e.g.

 http://lists.freedesktop.org/archives/hal/2006-January/004377.html

though I do expect the UI to change a bit.

When we have this I expect PolicyKit to be feature complete and will do
a 1.0 when all is good etc.

There's also some talk of replacing the pam-polkit thing in PolicyKit
with the ConsoleKit stuff I mentioned if / when that surfaces (and there
are good chances it will). That's more of an implementation detail
though, I only expect that it will change how we assign the
desktop-console privilege and the introduction of a new
desktop-console-active privilege.

So, this is pretty much my plan. How does that sound?

     David