consolekit and user groups

Yan Seiner yan at seiner.com
Wed Jan 21 09:54:42 PST 2009 

On Wed, January 21, 2009 9:48 am, Dan Nicholson wrote:
> 2009/1/21 Scott James Remnant <scott at canonical.com>:
>> On Wed, 2009-01-21 at 07:37 -0800, Yan Seiner wrote:
>>
>>> > Should I stand up, and log out, the ACL will be removed and I will
>>> > instantly lose access to that drive.  I can't ssh in later, or sit in
>>> > another seat, and get access again.
>>> >
>>> This sounds like exactly what I am trying to do!
>>>
>>> So set you
>>>
>>> setfacl /dev/cdrom
>>>
>>> at login (I'm thinking via gdm PreSession) and then when you log out it
>>> automagically goes away?  Or do I have to do setfcl again to remove the
>>> acl?
>>>
>>> That sounds a lot simpler than consoleKit!   Yippeee!  :-)
>>>
>> Actually, the above is automatically managed for me.  HAL sets ACLs on
>> new devices based on PolicyKit authorisations, which include a
>> ConsoleKit "at the same seat" test.
>
> One of the things that's not clear is how to provide access to certain
> devices only when they're on specific seats. For instance, you might
> have a USB hub whose devices you only want users at seat1 to get
> access to. With current HAL/CK/PK, I believe any user at an active
> seat would get access to the devices. Right?
>
> Yan, you might want to look at the Access Control chapter in the HAL spec.
>
> http://people.freedesktop.org/~david/hal-spec/hal-spec.html#access-control
>
> I think that will at least steer you in the right direction for how to
> handle the devices dynamically using the access_control namespace. The
> PolicyKit part has changed some. See
> /usr/share/PolicyKit/policy/org.freedesktop.hal.device-access.policy
> rather than /etc/PolicyKit/privileges/hal-device-file.priv.

My goal is to provide each seat wtih a USB hub.  Anything attached to the
hub gets assigned to the user at that seat.  This would include
hot-plugged devices like cameras and ipods.

I'll follow up on your references.  Thanks!

--Yan

-- 
  o__
  ,>/'_          o__
  (_)\(_)        ,>/'_        o__
Yan Seiner      (_)\(_)       ,>/'_     o__
       Personal Trainer      (_)\(_)    ,>/'_        o__
             Professional Engineer     (_)\(_)       ,>/'_
Who says engineers have to be pencil necked geeks?  (_)\(_)

You are an adult when you realize that everyone's an idiot sometimes. You
are wise when you include yourself.

More information about the hal mailing list