Hi, On 05/05/2014 11:47 AM, Stef Walter wrote: > Many of the polkit policy files services ship in Fedora have lines that > look like this: > > <defaults> > <allow_any>no</allow_any> > <allow_inactive>no</allow_inactive> > <allow_active>auth_admin_keep</allow_active> > </defaults> > > The <allow_any>no</allow_any> prevents use of the service from remote > sessions such as ssh or Cockpit. > > The poorly named <allow_any> tag controls the default policy for users > logged in from any non-monitor+keyboard session. That is, sessions that > don't come from a 'seat'. > > So unless your service is changing seat specific hardware, you probably > want an <allow_any> tag that is similar or identical to <allow_active>. Erm, IMHO it should be the same as <allow_inactive>, if something is not allowed to be done from an inactive state (ie from a switched away session with fast user switching) it certainly should also not be allowed to be done over ssh. Regards, Hans -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
