Replacing polkit JS backend
Matthew Miller
mattdm at mattdm.org
Sat Oct 21 19:30:40 UTC 2017
On Sat, Oct 21, 2017 at 10:55:04AM -0700, Jasper St. Pierre wrote:
> The last time this came up (when I tried to replace mozjs with Duktape), it
> was pointed out that libvirt uses JS rules [0], and there's some evidence
> that administrators are doing it as well. [1]
>
> [0] https://libvirt.org/aclpolkit.html
> [1] https://github.com/systemd/systemd/pull/1159
We had this discussion on this list back years ago, and there's this
weird thing from the documentation (man page):
Authorization rules are intended for two specific audiences
· System Administrators
· Special-purpose Operating Systems / Environments
and those audiences only. In particular, applications,
mechanisms and general-purpose operating systems must never
include any authorization rules.
... so arguably, anything we're shipping in Fedora or Debian which
includes Javascript rules is Doing It Wrong.
--
Matthew Miller mattdm at mattdm.org <http://mattdm.org/>
Fedora Project Leader mattdm at fedoraproject.org <http://fedoraproject.org/>
More information about the polkit-devel
mailing list