Michael Biebl wrote: > Roland Mas wrote: >> Michael Biebl, 2009-11-26 12:02:18 +0100 : >> >> [...] >> >>> Is there an upstream bug tracker, i.e. have you forwarded this >>> upstream? Should I do this? >> There's no upstream bug tracker, only a mailing-list [1]. I'd be >> grateful if you did the forwarding, yes, since you're probably going to >> be much more informative than I could :-) > > Hi Roland, > > I investigated a bit more thoroughly, what argyll is doing wrt policykit. > > So, what does it do [1]: > It installs a hal fdi file > /usr/share/hal/fdi/policy/10osvendor/19-color.fdi > which tells hal to set the access_control key for a certain class of usb > devices. > Whenever such a usb device is connected, hal will apply an ACL to that device, > granting the currently active user full access to that device. > The PolicyKit file that is installed by argyll defines who to grant access: > <allow_inactive>no</allow_inactive> > <allow_active>yes</allow_active> > That means, inactive users won't be granted access, only locally logged in > users > that are active. > > For all this to work, hal needs to be compiled with with acl-management and > policykit support, which it does no longer with 0.5.13-4 onwards. > > So the hal fdi file and PolicyKit file are basically useless. > > It has also to be noted, that the argyll package installs udev rules, which > applies mode 666 to those usb devices (which I btw consider a security risk!) > Applying a acl on top of that won't give you a lot. > > My recommendation: > Drop the hal fdi files and PolicyKit files. Drop the dependency on policykit. > (this should be done in any case as it is superfluous as shown above). > But also: Drop chmoding the devices 666 > > Instead: > Use the udev-acl support in newer udev revisions and apply a ACL for the > currently active user on the fly. This requires a recent udev version (>= 146) > and consolekit installed. > For this to work, set the ACL_MANAGE=1 variable for the devices in your udev > rules instead of statically chmodding the device 666 > > If you want to see how this works, take a look at > /lib/udev/rules.d/70-acl.rules. >
BTW, do you really need to install 45-Argyll.rules? I thought those symlinks are already created nowadays. What's the reason that you install that file? Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
