On Tue, Feb 24, 2009 at 08:10:07AM -0600, Chris Adams wrote:
>
> The question is: what path is this taking to get the required access
> level (I guess PolicyKit)? What other things may be available this way
> (is there any limit)? How was this audited before being added to
> Fedora?
>
> There is a bug about this in RH BZ (450304) that has been open since
> 2008-06-06 with basically no action.
Here is a script which allows to check and override defaults in
question:
#!/bin/sh
# Change insane defaults for messing with system clock.
# To grant/revoke some particular action to a given user use polkit-auth
if [ "$1" ] ; then
show=yes
fi
actions="
org.gnome.clockapplet.mechanism.settimezone
org.gnome.clockapplet.mechanism.settime
org.gnome.clockapplet.mechanism.configurehwclock
"
if [ "$show" = yes ] ; then
for act in $actions ; do
polkit-action --action $act
done
else
for act in $actions ; do
polkit-action --set-defaults-active $act auth_admin_keep_session
done
fi
If you want there 'auth_admin_keep_session' or something else
(see 'man polkit-action' for possibilities) that is up to you.
> What mechanism is there to keep track of these policies?
No idea; but apparently it does not work too well.
I did not try so far to audit what are defaults for anything which
shows up when you type 'polkit-action'. Quite likely I should.
Michal
--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list
