patch -- config files in /etc

Matthew Miller mattdm at mattdm.org
Mon Nov 30 10:31:37 PST 2009 

On Mon, Nov 30, 2009 at 01:11:29PM -0500, David Zeuthen wrote:
> There's a bunch of prior art where application store data like this
> in /var and not /etc. Many people use "application data" and
> "configuration" interchangeably (even myself) - iscsi-initiator-utils is
> one example. Don't let the FHS fool you that these are totally separate
> things.

Oh, the FHS is full of flaws, no question. I'm just surprised that this
particular thing is controversial. (And let's not hold up
iscsi-initiator-utils as a paragon of something to follow....)


> What happened in F12 was not a polkit issue, it was a PackageKit issue.
> And the defaults did get changed within 48 hours because of the
> over-whelming push-back. So it was a bug in PackageKit. And it got
> fixed.

Yeah, I don't meant to push that particular button here, sorry. I certainly
don't blame polkit for that at all. I've been very in favor of polkit ever
since you talked about it fudcon way back when, and my take-away from the
incident was that it'd be valuable to make policykit configuration more
transparent to systems administrators, which will encourage more buy-in.
(The ideas about logging are motivated by the same thing -- enterprise
sysadmins want to see logs!)

> (If there's anything positive about that incident it's that maybe it
> opened peoples eyes to the problem that Fedora maybe shouldn't be a
> "general purpose OS" - we really need different policies (such as
> different .pkla-files) in e.g. desktop and server spins - e.g. we want
> the stock F12 behavior but only in a desktop-spin, never in a
> server-spin)

Definitely.

> > I hope you can reconsider, because while the actual change is trivial, it's
> > really the right thing to do.
> The only possible solution that I could be made to agree with involves
> reading files .pkla files from both
>  /var/lib/polkit-1/localauthority
>  /etc/polkit-1/localauthority
> though this really sucks. But there is a ton of prior art where this is
> done (hal, udev, etc.) so I guess we could do this.

If you take a look at the patch I posted (here and in the Fedora bug),
that's exactly what it does. 

(Except it uses /etc/security/polkit-1, which I think is a good idea
particularly given your comments on making sure users realize this is
security-sensitive configuration. And because it matches how where the
consolehelper configuration lives, and since I think replacing consolehelper
entirely with polkit is a reasonable goal, that makes the mental migration
path easier for admins and doc writers.)

> So if you want to do this, file a bug with a patch and we'll take it
> from there. 

Would you like a new freedesktop.org bug filed?

> Btw, it would be nice also to use inotify to watch
> directories in polkit-1/localauthority instead of hardcoding this
>                |-- 10-vendor.d
>                |-- 20-org.d
>                |-- 30-site.d
>                |-- 50-local.d
>                ‘-- 90-mandatory.d

Yeah, that's mentioned in the Fedora bug too, but I figured one thing at a
time.

Thanks, David. I appreciate the reconsideration.


-- 
Matthew Miller           mattdm at mattdm.org          <http://mattdm.org/>

More information about the polkit-devel mailing list