consolekit and user groups

Dan Nicholson dbn.lists at gmail.com
Wed Jan 21 09:48:27 PST 2009


2009/1/21 Scott James Remnant <scott at canonical.com>:
> On Wed, 2009-01-21 at 07:37 -0800, Yan Seiner wrote:
>
>> > Should I stand up, and log out, the ACL will be removed and I will
>> > instantly lose access to that drive.  I can't ssh in later, or sit in
>> > another seat, and get access again.
>> >
>> This sounds like exactly what I am trying to do!
>>
>> So set you
>>
>> setfacl /dev/cdrom
>>
>> at login (I'm thinking via gdm PreSession) and then when you log out it
>> automagically goes away?  Or do I have to do setfcl again to remove the acl?
>>
>> That sounds a lot simpler than consoleKit!   Yippeee!  :-)
>>
> Actually, the above is automatically managed for me.  HAL sets ACLs on
> new devices based on PolicyKit authorisations, which include a
> ConsoleKit "at the same seat" test.

One of the things that's not clear is how to provide access to certain
devices only when they're on specific seats. For instance, you might
have a USB hub whose devices you only want users at seat1 to get
access to. With current HAL/CK/PK, I believe any user at an active
seat would get access to the devices. Right?

Yan, you might want to look at the Access Control chapter in the HAL spec.

http://people.freedesktop.org/~david/hal-spec/hal-spec.html#access-control

I think that will at least steer you in the right direction for how to
handle the devices dynamically using the access_control namespace. The
PolicyKit part has changed some. See
/usr/share/PolicyKit/policy/org.freedesktop.hal.device-access.policy
rather than /etc/PolicyKit/privileges/hal-device-file.priv.

--
Dan


More information about the hal mailing list