On Tue, Nov 24, 2009 at 12:44:00PM -0500, Matthias Clasen wrote: > > 1. In fact, a PAM-backed authority for PolicyKit might be interesting and > > useful -- but there's a tangent. > What do you think PolicyKit is using for authentication ? > See > http://cgit.freedesktop.org/PolicyKit/tree/src/polkitagent/polkitagenthelper.c It uses it for authentication *and* for authorization, but it uses one service name (polkit-1) for everything (which is in turn configured by default to just defer to the standard system-auth service definition). This arrangement isn't particularly useful for a flexible authorization policy. You can use it for the big-hammer "user-is-locked out" stuff, but not for things like "local users can install packages without a password, only during business hours", which PAM is perfectly expressive enough to do (with existing modules, even). I don't think, offhand, that it could be quite as flexible as the Local Authority currently in PolicyKit or via some fancy LDAP Authority, but I don't think it necessarily would need to be. The main advantage would be that instead of having yet another way (and again, I want to emphasize that I think PolicyKit is good work) to implement authorization policy, one could use PolicyKit with a well-understood mechanism that's been in production use since the 90s. Like I said, this is a tangent, and I'm certainly not expecting anyone to work on this. But it'd be cool if they did. -- Matthew Miller <mattdm@xxxxxxxxxx> Senior Systems Architect Cyberinfrastructure Labs / Instructional & Research Computing Computing & Information Technology Harvard School of Engineering & Applied Sciences -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
