> On March 22, 2017, 10:08 a.m., Elvis Angelaccio wrote: > > src/ioslaves/file/kauth/file.actions, lines 1-5 > > <https://git.reviewboard.kde.org/r/129983/diff/5/?file=492986#file492986line1> > > > > I don't see the advantage of using a single kauth action. This way you > > are generating only one "generic" polkit action that you can either enable > > or disable. Instead if we used one polkit action per operation (del, rmdir, > > etc.) we could allow a more fine-grained control. For example, a sysadmin > > could decide that the users can create files in write protected locations, > > but they cannot delete existing files. > > Chinmoy Ranjan Pradhan wrote: > Some operation may use more than one polkit action like Delete. If we use > one polkit action per operation then we will have to provide credentials for > every polkit action that operation might use. Though we can add necessary > code for this but it will only complicate the matter. > > > we could allow a more fine-grained control > > Does this involve editing the policy file directly or just writing a > config file? In later case we can provide control over execution of actions > within the ioslave. 'execWithRoot' can perform a check prior to execution of > the polkit action.
> Some operation may use more than one polkit action like Delete. If we use one > polkit action per operation then we will have to provide credentials for > every polkit action that operation might use. But only if the actions are different, right? Otherwise we should be fine within the 5 minutes threshold after the first authentication. Can you show some concrete examples where this issue would happen? > Does this involve editing the policy file directly or just writing a config > file? Have a look at polkit rules. For example, one could write a rule that says "org.kde.kio.file.copy is allowed, org.kde.kio.file.del is not." and it would be very cool if we could actually support this. - Elvis ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/129983/#review102932 ----------------------------------------------------------- On March 14, 2017, 2:48 p.m., Chinmoy Ranjan Pradhan wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://git.reviewboard.kde.org/r/129983/ > ----------------------------------------------------------- > > (Updated March 14, 2017, 2:48 p.m.) > > > Review request for KDE Frameworks, David Faure and Elvis Angelaccio. > > > Repository: kio > > > Description > ------- > > This is regarding the GSOC idea > https://community.kde.org/GSoC/2017/Ideas#Project:_Polkit_support_in_KIO. > > This patch intends to demonstrate one possible approach to provide polkit > support in kio. Here its only for the delete operation. This is based on the > patch in task https://phabricator.kde.org/T5070. > > The approach is as follows; > 1. Whenever file ioslave gets access denied error it calls the method > *execWithRoot* with the action that requires priviledge, the path of items > upon which action needs to be performed and a warning ID as arguments. > 2. *execWithRoot* then executes the KAuth::Action *org.kde.kio.file.execute*. > 3. This Kauth::Action has its Persistence set too 'session'. This means that > after authentication the restrictions are dropped for a while, for > about 5 minutes. This is similar to the behaviour of sudo command. > 4. During this time we can perform any action as a privileged user without > any authentication. So to prevent any mishap i added a warning box which > would popup before performing any action(only during this period). > 5. After the said time interval the root privileges are droped and calling > *execWithRoot* should show the usual authentication dialog. > > > Diffs > ----- > > src/ioslaves/file/CMakeLists.txt b9132ce > src/ioslaves/file/file.h 109ea80 > src/ioslaves/file/file.cpp eaf6c88 > src/ioslaves/file/file_unix.cpp 82eb11a > src/ioslaves/file/kauth/CMakeLists.txt PRE-CREATION > src/ioslaves/file/kauth/file.actions PRE-CREATION > src/ioslaves/file/kauth/helper.h PRE-CREATION > src/ioslaves/file/kauth/helper.cpp PRE-CREATION > > Diff: https://git.reviewboard.kde.org/r/129983/diff/ > > > Testing > ------- > > > File Attachments > ---------------- > > warning dialog > > https://git.reviewboard.kde.org/media/uploaded/files/2017/03/09/d42570e8-aedf-4c02-801e-362a68755c2c__polkit_integration.png > > > Thanks, > > Chinmoy Ranjan Pradhan > >
