On Mon, 2014-05-05 at 14:21 +0200, Stef Walter wrote: > >> The <allow_any>no</allow_any> prevents use of the service from remote > >> sessions such as ssh or Cockpit. > >> > >> The poorly named <allow_any> tag controls the default policy for users > >> logged in from any non-monitor+keyboard session. That is, sessions that > >> don't come from a 'seat'. > >> > >> So unless your service is changing seat specific hardware, you probably > >> want an <allow_any> tag that is similar or identical to <allow_active>. > > > > Erm, IMHO it should be the same as <allow_inactive>, if something is > > not allowed to be done from an inactive state (ie from a switched away session > > with fast user switching) it certainly should also not be allowed to be > > done over ssh. > > Technically you are correct. The best kind of correct. > In reality it depends on the service. Some services may want to prevent > use when inactive (ie: locked screen) simply for UI reasons, not security. This is not always the case though, as I have a package with a policy that I intentionally discriminate ssh from active sessions. Maybe it is better to decide that on a per-package case, and may be better to fill bugs to the specific packages that you think it doesn't make sense to have such discrimination. A longer-term solution may be to better explain the situation in the polkit documentation (if it isn't already - I didn't check). Otherwise with a blanket statement like the above we risk introducing security by-passes where we shouldn't. regards, Nikos -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
