[packagekit] [PATCH] Allow plugins to override PolicyKit action IDs
Richard Hughes
hughsient at gmail.com
Tue Jul 16 02:51:09 PDT 2013
On 16 July 2013 01:11, Colin Watson <cjwatson at ubuntu.com> wrote:
> I've been putting together a PackageKit plugin for Click packages, as
> discussed recently on this list. I've got a fairly basic version almost
> entirely working, albeit with the PackageKit 0.7 series currently in
> Ubuntu (but porting to 0.8 shouldn't be hard, and I'm happy to do that
> when needed).
I think new backends probably should go through master and then be
backported if required if that's okay.
> There's one glitch, though, namely that this packaging system is
> intentionally designed to be usable by non-root users, and thus it ought
> to have different PolicyKit defaults.
Yup, that's pretty sane.
> Would it be reasonable to allow plugins to override the action ID, as in
> the attached patch? This seems like a fairly lightweight and general
> facility.
Right, in concept that makes sense, but would the click plugin work
like the listaller plugin i.e. process everything that's a click
package and leave the rest of the package_id's for the backend? In
which case it could open up a security problem if the user was do do
something like this:
InstallPackages("some-app;;;@click", "sshd;0.0.1;i386;fedora") -- if
the click plugin removed the auth-requirement for "some-app" then I
think that could lead to trouble as sshd would be installed without
auth. I thought this was exactly the thing the js policy was supposed
to allow us to solve, see
https://gitorious.org/packagekit/packagekit/blobs/master/policy/org.freedesktop.packagekit.rules
for an example.
Richard
More information about the PackageKit
mailing list