Lock Down

Dario Freddi drf54321 at gmail.com
Sun Sep 13 03:33:32 PDT 2009


Hi David,

cool idea. However, I'm wondering about the usability of it all. At the 
moment, using a similar approach (polkitlockbutton) might be confusing. You 
are actually changing the "lock" button behavior according to the action 
status. Let me explain more clearly.

If I need to authenticate and unlock the action successfully, locking it down 
again results in having to authenticate again. This change is just about me. 
But if the result is yes, the change affects everybody. So I think the user 
might run into something unexpected in this case.

I still have to see the new authorization manager - I'm installing F12 in a VM 
right now - then I'll be able to share more.

Anyway, apart from the issues of the button itself, the framework shapes well 
:)

On Saturday 12 September 2009 23:20:01 David Zeuthen wrote:
> Hey,
> 
> So one thing that isn't really easy with polkit right now is lock-down.
> E.g. give away some privilege by default (e.g. use 'yes' for
> <allow_active> in the policy file) but make it easy for an authorized
> user to lock things down so authentication is required.
> 
> Well, up until now. First we add a new tool to lock down an action
> 
>  http://hal.freedesktop.org/docs/polkit/pklalockdown.1.html
> 
> This only works for the local authority but that's fine - other
> authority implementations will most likely be for centralized directory
> servers and this feature can be implemented in other ways there - e.g.
> these kinds of setups typically have a dedicated web2.0++-based
> administration console that scales to 100,000s of users.
> 
> The other part of this is using this new tool in PolkitLockButton. Up
> until now, the PolkitLockButton widget was hidden if the process was
> implicitly authorized. Now it's no longer hidden in this case, instead
> it looks like this
> 
>  http://hal.freedesktop.org/docs/polkit-gtk/polkit-lock-button-lock-down.pn
> g (see
>  http://hal.freedesktop.org/docs/polkit-gtk/polkit-gtk-1-polkitlockbutton.h
> tml for the context)
> 
> If the user clicks this button, the PolkitLockButton code just runs
> pklalockdown(1). This typically results in an authentication dialog
> (since locking down stuff is a privileged operation - you are taking
> away stuff from _everyone_ by doing this). Anyway, if this operation
> succeeds then the action is locked down (e.g. admin auth is always asked
> for). The user can remove the lockdown by right-clicking the button -
> this results in another authentication dialog.
> 
> Anyway, the bottom-line of all this work is that PolkitLockButton and
> polkit itself is a lot more useful for use-cases where you grant a lot
> of privilege to certain roles [1]. Use-case:
> 
>  - Alice (the head of a household) puts users Bob and Carlos (her
>    adolescent kids) into the desktop_user_r role (ideally using
>    something like [2]). Alice herself is in desktop_admin_r along
>    with her husband Dave (no relation to me, I'm just using names
>    from [3]).
> 
>  - Users in the desktop_user_r role gets a lot of privileges for
>    free - say, including the privilege to install trusted software
>    (e.g. software signed by a trusted party, e.g. Fedora or Debian
>    or whatever) without having to authenticate
> 
>  - Alice is unhappy that Bob and Carlos installs a lot of crap on
>    the home machine and that they're falling behind in school. Alice
>    goes into into "System->Administration->Add/Remove Software" [4]. She
>    clicks the Lock with the title saying "Click to lock down",
>    authenticates as the administrator (by authenticating as herself)
>    and now only users in desktop_admin_r (Alice and Dave) can install
>    new software.
> 
> This is of course just an example, I'm not sure Richard wants to add
> this patch or if it's compatible with how PackageKit works. And maybe if
> Richard wants to do the UI in a different way (say, a checkbox in a
> preference dialog) he can do just that by invoking pklalockdown(1)
> himself.
> 
> The point here, really, is that instead of really poor and crappy UI
> like this
> 
>  http://people.freedesktop.org/~david/polkit-gnome-authorizations.png
> 
> we now make it extremely easy to lock down each application in a secure
> manner. And, more importantly, we make it easy to do it _from_ the
> application, no some crappy UI.
> 
> Feedback welcome.
> 
> Thanks,
> David
> 
> [1] : "Roles and Policy" mail:
>      
>  https://www.redhat.com/archives/fedora-desktop-list/2009-August/msg00103.h
> tml
> 
> [2] : "A new user management tool" mail:
>      
>  https://www.redhat.com/archives/fedora-desktop-list/2008-May/msg00006.html
> 
> [3] : Alice and Bob
>       http://en.wikipedia.org/wiki/Alice_and_Bob
> 
> [4] : Screenshot of PackageKit's Add/Remove Software:
>      
>  http://people.freedesktop.org/~david/Screenshot-Add-Remove%20Software.png
> 
> 
> _______________________________________________
> polkit-devel mailing list
> polkit-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/polkit-devel
> 

-- 
-------------------

Dario Freddi
KDE Developer
GPG Key Signature: 511A9A3B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freedesktop.org/archives/polkit-devel/attachments/20090913/e58a7b15/attachment.pgp 


More information about the polkit-devel mailing list