On Sep 28, 2011 3:53 PM, "Tom Gundersen" <teg@xxxxxxx> wrote: > > On Wed, Sep 28, 2011 at 10:02 PM, Fons Adriaensen <fons@xxxxxxxxxxxxxx> wrote: > > > > Or maybe I'm missing a third possible scenario. > > The way it works is that both the frontend (the unprivileged process, > e.g. the GUI for setting your timezone) and the backend (the > privileged process, e.g. the app that writes the timezone data to > /etc/localtime) interface with PK. The backend will ultimately be the > one deciding who should be allowed to do what under which conditions, > PK is just the interface that lets this be done in a uniform way. The process is similar for libvirt -- when the policy is "unix perms only" having r/w access to the control socket is enough to authorize. However, when polkit is in use (the default) the socket is world writable simply because anyone *could* be authorized to use it (you could still use fs perms if you wanted) ... but all requests must be approved by polkit anyway, and at no time are you really exposing anything -- all configs/etc are never directly malleable or even disclosed. Polkit is a really good thing IMO -- FS perms are good too, but they are very crude/basic and completely lack expressive power ... not the right tool for the job.
