[systemd-devel] Work on adding polkit support to systemd1
Stef Walter
stefw at redhat.com
Wed Aug 6 04:23:55 PDT 2014
I've done initial work on adding polkit support to systemd1 DBus
methods. You can see it here:
https://github.com/stefwalter/systemd/commits/polkit-systemd1
Basic rules:
* Read access for everyone
* Methods that modifies running unit state is controlled by a polkit
action: org.freedesktop.systemd1.manage-units
* Methods that modifies unit state files is controlled by a polkit
action: org.freedesktop.systemd1.manage-unit-files
* Many methods are only callable by root callers, like: Poweroff()
Kexec() etc...
* Job.Cancel() and Manager.CancelJob() are callable by the caller(s)
that started the job.
* Setting properties is only possible by root callers.
The way that each callback in sd-bus has to handle verification seems a
bit risky to me. So I've only opened up the specific interfaces I
touched in the DBus policy file.
Eventually the DBus policy file would go away, but hopefully sd-bus will
have a less risky way of verifying callers at that point.
I need to work on testing this. Will send a patch set when I'm done.
I'd be happy to add documentation here when we're done:
http://www.freedesktop.org/wiki/Software/systemd/dbus/
Cheers,
Stef
More information about the systemd-devel
mailing list