PSA: don't make your polkit policies desktop centric

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Many of the polkit policy files services ship in Fedora have lines that
look like this:

    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>

The <allow_any>no</allow_any> prevents use of the service from remote
sessions such as ssh or Cockpit.

The poorly named <allow_any> tag controls the default policy for users
logged in from any non-monitor+keyboard session. That is, sessions that
don't come from a 'seat'.

So unless your service is changing seat specific hardware, you probably
want an <allow_any> tag that is similar or identical to <allow_active>.
For example:

   <allow_any>auth_admin</allow_any>

If you think this is confusing ... it's because it is.

Documentation here:

http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html

Some bugs and patches filed here:

https://bugzilla.redhat.com/show_bug.cgi?id=1094121

Cheers,

Stef

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux