[packagekit] [PATCH] Allow plugins to override PolicyKit action IDs

Tue Jul 16 06:07:53 PDT 2013

On Tue, Jul 16, 2013 at 10:51:09AM +0100, Richard Hughes wrote:
> On 16 July 2013 01:11, Colin Watson <cjwatson at ubuntu.com> wrote:
> > I've been putting together a PackageKit plugin for Click packages, as
> > discussed recently on this list.  I've got a fairly basic version almost
> > entirely working, albeit with the PackageKit 0.7 series currently in
> > Ubuntu (but porting to 0.8 shouldn't be hard, and I'm happy to do that
> > when needed).
> 
> I think new backends probably should go through master and then be
> backported if required if that's okay.

I wrote it as a plugin rather than as a backend, so I'm intending to
ship it with click rather than with PackageKit, much the same way that
Matthias handles the Listaller plugin - is that OK?  I realise it means
I have to keep up with PK API changes.

> > Would it be reasonable to allow plugins to override the action ID, as in
> > the attached patch?  This seems like a fairly lightweight and general
> > facility.
> 
> Right, in concept that makes sense, but would the click plugin work
> like the listaller plugin i.e. process everything that's a click
> package and leave the rest of the package_id's for the backend?

Yep.

> In which case it could open up a security problem if the user was do
> do something like this:
> 
> InstallPackages("some-app;;;@click", "sshd;0.0.1;i386;fedora") -- if
> the click plugin removed the auth-requirement for "some-app" then I
> think that could lead to trouble as sshd would be installed without
> auth. I thought this was exactly the thing the js policy was supposed
> to allow us to solve, see
> https://gitorious.org/packagekit/packagekit/blobs/master/policy/org.freedesktop.packagekit.rules
> for an example.

That's a point I hadn't thought of, but I think it can be handled with
just a bit more care in the plugin: only change the action if all
packages requested belong to the plugin.  If the user asks to install
both Click packages and system packages in a single transaction, then we
can ask for admin auth (or whatever's configured) and that will be
adequate for both.

-- 
Colin Watson                                       [cjwatson at ubuntu.com]