Status of Policy Kit
Sayamindu Dasgupta
sayamindu at gmail.com
Tue May 1 15:08:20 PDT 2007
Hi,
Wow - thanks for that long and informative response, and I should
probably apologies for my late reply :-)
On 4/26/07, David Zeuthen <david at fubar.dk> wrote:
> On Wed, 2007-04-25 at 19:32 +0530, Sayamindu Dasgupta wrote:
> > Hello everyone,
> > I am working on extending the GNOME lockdown framework as a part of my
> > Google SoC project[1], and I was wondering if someone could tell me
> > what the status of PolicyKit and the associated GUI as outlined in
> > http://lists.freedesktop.org/archives/hal/2006-January/004377.html is.
>
> So, what happened was that, about four weeks ago, I started rewriting
> all the PolicyKit stuff from scratch. Most of the core stuff is already
> there and working. I haven't, yet, gotten down to writing a big document
> explaining how it works, what it does, why it's needed etc. etc. But am
> planning to start on that aspect this week; will reply to this thread
> once I have something. Sounds OK?
Yes - definitely :-)
>
> Regarding the GUI work right now I have working dialogs like these
>
> http://people.freedesktop.org/~david/polkit-shutdown-multiple.png
> http://people.freedesktop.org/~david/polkit-mount-fixed.png
>
Looks cool!!
> that are triggered by a session-wide D-Bus service; e.g. applications
> (like gnome-mount) who are told by e.g. HAL that a certain method cannot
> be invoked (because HAL says libpolkit doesn't say 'yes') just calls
> into org.gnome.PolicyKit and the session daemon (possibly activated)
> handling that service prompt the user for authentication. This is in the
> PolicyKit-gnome project; it's not yet in GNOME SVN but will be shortly
> as gnome-mount and other stuff is going to depend on it.
>
> Also, I'm going to write another piece of UI for configuring actions/
> policy akin to e.g. this mockup
>
> > +------------------------------------------------+
> > | The following users and groups are allowed to |
> > | mount the volume 'Dave's USB key': |
> > | +-------------------------------+ |
> > | | U dave ^| |
> > | | U dogbert || |
> > | | G coolkids V| |
> > | +-------------------------------+ |
> > | [Delete] [Add Group] [Add User] |
> > | |
> > | The following users and groups are not allowed |
> > | to mount the volume 'Dave's USB key': |
> > | +-------------------------------+ |
> > | | U bert ^| |
> > | | U osama || |
> > | | G lamers V| |
> > | +-------------------------------+ |
> > | [Delete] [Add Group] [Add User] |
> > | |
> > | [Close] |
> > +------------------------------------------------+
>
> and others from the 2006 "ramblings about privileges" mail. It's not
> going to look exactly like this but will provide the same functionality.
>
Sounds good. I have a question however. Will it be possible to
integrate this dialog into Sabayon in any way. We are working on
making Sabayon the deployers' swiss army knife of some sorts, and
during the 2.20 release cycle, we'll be merging Pessulus and Sabayon
into one single source tree (the two tools are already integrated).
So it might be a nice idea if the administrator can access this tool
from Sabayon itself (maybe via Tools->Set Systemwide Action Policy or
something like that)
> I think it might be worth mentioning where I draw the line between what
> need to be handled through PolicyKit and what should be handled by the
> GNOME lockdown framework.
>
> Basically, my view is that every privileged operation [1] that is
> offered through the desktop, needs to be able to be locked down. This
> ideally needs to happen through a secure centralized framework and
> PolicyKit is my answer to that.
I totally agree.
>
> I note that you are using the term "GNOME lockdown". This is a very
> broad and slightly confusing term. I presume that you're mostly
> referring to the gconf feature called "mandatory settings", e.g. the act
> of tagging a preference item in the gconf database such that the user
> cannot override the value. Did you have anything else than gconf
> mandatory settings in mind?
Oops - sorry.I should have made my mail a bit more clearer. My SoC
project covers both lockdown and "deployabilty" aspects of GNOME. To
be more specific, once of my defined deliverable is to restrict file
system access in the file manager as well as gtk+ filechooser level,
eg, as you said, restricting the user only to $HOME. (I already have a
spec for this - I'll be publishing it very soon).
The place I am currently kind of stuck is, how to handle removable
devices. As far as my understanding goes (and my mentor agrees with me
as well), it would be best to leave removable devices to HAL, and the
policy that is defined via PolicyKit.However, I am bit lost on how to
actually implement this (as I am clueless about HAL) - but I am trying
to figure it out :-). One of the ideas is that if the path filtering
code in Nautilus/GTK+ Filechooser comes across a path that is in a
removable device, it lets the user access it, assuming that the
relevant policy has already been applied to the device. The part that
I am yet to figure out is how to find out that the path actually
points to a removable device :-).
I agree with you entirely that lockdown stuff like mandatory desktop
settings (affecting mostly the cosmetics aspects of the desktop and
the functionality of the desktop) and administrative policy stuff, ie
where the entire system, especially at the hardware level should be
kept separate and that low (hardware) level policy defining mechanism
should never be dependent on Gconf.
I would be glad to be of help in the GUI tools that you work on -
please let me know if you need a hand :-). I am also working on a
guide for large scale GNOME deployments (basically documenting tools
like Sabayon, Pessulus, etc),and I think it will be a good idea to
include the "hardware policy configurator" in the list of apps as
well.
Have a nice day, and thanks a lot again,
Sayamindu
PS: If I did not make any sense, please do tell me, and I'll try to
refactormy reply. I tend to write in a confused and jumbled fashion.
--
Sayamindu Dasgupta
[http://sayamindu.randomink.org/ramblings]
More information about the hal
mailing list