Add support for group auth to PolicyKit?
David Zeuthen
david at fubar.dk
Tue Dec 2 22:14:58 PST 2008
On Tue, 2008-12-02 at 23:43 -0600, Robby Workman wrote:
> While trying to duplicate our functionality of PolicyKit-less HAL, I
> reached the conclusion that it's not possible with the current feature
> set of PolicyKit (I may of course be wrong).
I don't think it is possible, no.
> I think I'm going to need
> some way to automatically authorize members of *groups* (rather than
> just individual users) to take actions. As a over-simplified example,
> something like this in PolicyKit.conf:
>
> <match action="org.freedesktop.hal.storage*">
> <match group="plugdev">
> <return result="yes"/>
> </match>
> </match>
>
> While searching for similar requests/discussions, I found this:
> http://moblin.org/community/blogs/toddbrandt/2008/policykit-and-consolekit
> Is this something planned for David's in-progress rewrite, and if not,
> what are the chances of adding it? :-)
Support for managing authorizations on other entities (such as UNIX
groups) than just users is indeed planned. Also, support for UNIX
groups will be done in a way so we're not susceptible to the problems
traditionally associated with UNIX group membership (once member of a
group, always member of a group...) by e.g. checking membership using
and not the effective groups of a given process.
FWIW, for the time being I'm working (but have been busy working on
other code the past few months) in a temporary git repository here
http://cgit.freedesktop.org/~david/polkit/tree/
Nothing really works right now in that repo, but when it's functional
and stuff I'll merge the code into the main PolicyKit repository and
send a message here.
David
More information about the polkit-devel
mailing list