On Tuesday 31 of March 2015 21:35:44 Michael Catanzaro wrote: > On Tue, 2015-03-31 at 21:50 +0200, Jakub Filak wrote: > > What about these patches: > > > > https://github.com/abrt/abrt/pull/946 > > That's exactly what I had in mind (though it would be better to remove > the mysterious "Other" column entirely, and just not allow viewing the > problems if the user doesn't have permission)... it's evil, but I think > it's the only way to do what we want to do. > > We should chat with Miloslav Trmač (mitr) about this. I've added him to > CC, hi Miloslav! The goal here is to use polkit to express the rule > "local admins can perform the action without entering any password, but > non-admin users must enter an admin password." I think the only way to > do that is currently to ship custom JavaScript rules, exactly what Jakub > does in the above patch; that's the approach that's taken by > gnome-control-center as well. Hardcoding the wheel group is also not > nice; it doesn't work at all for Debian/Ubuntu. And the folks in SUSE > world will just delete the .rules file when it discovers it. > > The polkit manual is pretty clear that applications should never do > this: > > "Authorization rules are intended for two specific audiences > > System Administrators > > Special-purpose Operating Systems / Environments > > and those audiences only. In particular, applications, mechanisms and > general-purpose operating systems must never include any authorization > rules." > > However, if there's no other way, there's no other way. Any suggestions? >
Actually, there is other way to allow admins view all problems without the need to provide password. I can ignore polkit for the wheel group members in abrt-dbus and treat them like they are authorized via polkit, but IMHO this approach is wrose than adding a polkit rules file. Jakub
