On Tue, 24 Nov 2009, Matthias Clasen wrote:
On Tue, 2009-11-24 at 11:26 -0500, Matthew Miller wrote:
One of the important features of sudo is its ability to log elevated-access
actions to syslog.
Userhelper similarly logs actions, like so: "userhelper[26491]: running
'/usr/share/system-config-users/system-config-users ' with root privileges
on behalf of 'mattdm'".
PolicyKit serves a similar function, but doesn't seem to log anything.
In fact, the only use of syslog appears to be in polkit-agent-helper-1,
which logs in two possible situations -- when called with the wrong number
of arguments and when stdin is a tty. (Most other things it fprintfs to
stderr.)
I'm not bringing this up to complain -- I just want to make sure that I'm
not missing something (which happens more often than it should; *sigh*). If
I'm not missing something, is this something anyone is working on already or
has existing plans for?
PolicyKit itself is not running anything. It is just answering the
question of a mechanism: 'is X allowed to do foo ?'. It would make more
sense for the mechanisms that use PolicyKit to log privileged actions
that they do or deny to do.
when the policies are updated it is policy kit that has to be involved.
polkitd is running, at least.
It would make sense for polkitd to note a change to a policy. Maybe also
to note any communications to polkitd of any kind.
-sv
--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list
