Matthias Clasen schrieb: > On Sun, 2007-12-09 at 19:45 +0100, shrek-m@xxxxxx wrote: > > >> i was playing with >> $ polkit-gnome-authorization >> >> i added one user and blocked an other, >> now none can edit the "org.pulseaudio high-priority-scheduling" >> because it crashes. >> > > That is simply a bug. I gave David a fix for it; I hope he manages to > push out a fixed build soon. In the meantime, you can use > polkit-auth --revoke > to remove the explicit grants that are causing the problem. > ok, i will wait and see ... >> root (local X) can not edit the policies >> a tool for sysadmins but root can not use it ? >> > > What is the problem with using it as root (apart from the aforementioned > bug) ? > the gui does not crash as root but absolutely no authorization was displayed as root. the gui (local gnome-terminal `su -`) for root: all is "greyed out", root can change nothing (block, grant, revoke, modify) the gui (`ssh -Y user@rawhide` ; `su -`) for root: all is "greyed out", root can change nothing (block, grant, revoke, modify) # polkit-auth --user admin --explicit (granted:pulseaudio) displayed the authorization "revoke" was possible # polkit-auth --user test --explicit (blocked:pulseaudio) nothing is displayed but the blocked:authorization must exist because the warning does not pop up for "test" but for "admin" i have to use # polkit-auth --user test --explicit-details ok, now i see the details but "revoke" seems to be useless. all in all: it seems to me that the gui and tui need some work. >> one more tool for a sysadmin to check and to manage ? >> > > How much checking and managing you want to do depends on your personal > preferences. At least there is a tool, which is more than consolehelper > ever achieved... > i could not find the possibility to add groups. # rm /usr/share/PolicyKit/policy/PulseAudio.policy could be a possibility to remove the annoying pulseaudio warnings for all users before i have to give all users the root-password :) can you import/export/clone policies over the network? can PolicyKit manage users/groups/worksations in a lan? (central backend on a server) userA@wsA == userA@wsB != userA@wsC >> a user can not edit via ssh X11forwarding ? > > Should work, what problem are you seeing ? > `ssh -Y user@rawhide` ; gnome-terminal : the gui for unprivileged users "admin" or "test" the user can _only_block_himself_ but nothing else, the rest is "greyed out". local-X-session, gnome-terminal : the gui for unprivileged users "admin" or "test" _all_is_ok_ and both can block, grant, modify but the given authorizations are not displayed. in the gnome-terminal i can see warnings eg. "already exist" but not if it was sucessfully. not really usefull :(( >> no possibilty to disable it like selinux ? >> > > What do you mean by that ? Blindly allowing every privileged operation > for everybody ? Or denying it for everybody ? -- shrek-m -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
