On Tue, Jul 22, 2008 at 8:27 PM, Jason D. Clinton <[EMAIL PROTECTED]> wrote:
> This is the PK bits that David was discussion in his previous message that > are in the Debian hal which appears to be a security problem, if nothing > else: > > http://gitweb.freedesktop.org/?p=hal.git;a=commitdiff;h=5b4c664f7b40e85148bd3c32946388e23fe8b384 > > Would you like me to open the BTS bug? > > Never mind, I was looking at the Debian hal.conf cross-ways while examining the one I installed as a part of my jhbuild work tracking 2.23. There's nothing wrong with the Debian package; it correctly kills PK support as suggested by the configure.in message that David referenced. jhbuilding appears to be the source of PK being enabled WRT to hal. When I have time I'll investiage why the default allow policy is having PK returning permission denied for active sessions. It'll have to be some time next week. Thank you for your attention to the Debian side of things, Michael. Here is the Debian patch, FTWCA such things: diff --git a/hal.conf.in b/hal.conf.in index ef97b8f..3646deb 100644 --- a/hal.conf.in +++ b/hal.conf.in @@ -40,6 +40,26 @@ <!-- Default policy for the exported interfaces; if PolicyKit is not used for access control you will need to modify this --> <policy context="default"> + <deny send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/> + <deny send_interface="org.freedesktop.Hal.Device.VideoAdapterPM"/> + <deny send_interface="org.freedesktop.Hal.Device.LaptopPanel"/> + <deny send_interface="org.freedesktop.Hal.Device.Volume"/> + <deny send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/> + </policy> + + <!-- Debian groups policies --> + <policy group="powerdev"> + <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/> + <allow send_interface="org.freedesktop.Hal.Device.VideoAdapterPM"/> + <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"/> + </policy> + <policy group="plugdev"> + <allow send_interface="org.freedesktop.Hal.Device.Volume"/> + <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/> + </policy> + + <!-- You can change this to a more suitable user, or make per-group --> + <policy user="root"> <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/> <allow send_interface="org.freedesktop.Hal.Device.VideoAdapterPM"/> <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"/>
_______________________________________________ desktop-devel-list mailing list desktop-devel-list@gnome.org http://mail.gnome.org/mailman/listinfo/desktop-devel-list
