Hey, So one thing that isn't really easy with polkit right now is lock-down. E.g. give away some privilege by default (e.g. use 'yes' for <allow_active> in the policy file) but make it easy for an authorized user to lock things down so authentication is required.
Well, up until now. First we add a new tool to lock down an action http://hal.freedesktop.org/docs/polkit/pklalockdown.1.html This only works for the local authority but that's fine - other authority implementations will most likely be for centralized directory servers and this feature can be implemented in other ways there - e.g. these kinds of setups typically have a dedicated web2.0++-based administration console that scales to 100,000s of users. The other part of this is using this new tool in PolkitLockButton. Up until now, the PolkitLockButton widget was hidden if the process was implicitly authorized. Now it's no longer hidden in this case, instead it looks like this http://hal.freedesktop.org/docs/polkit-gtk/polkit-lock-button-lock-down.png (see http://hal.freedesktop.org/docs/polkit-gtk/polkit-gtk-1-polkitlockbutton.html for the context) If the user clicks this button, the PolkitLockButton code just runs pklalockdown(1). This typically results in an authentication dialog (since locking down stuff is a privileged operation - you are taking away stuff from _everyone_ by doing this). Anyway, if this operation succeeds then the action is locked down (e.g. admin auth is always asked for). The user can remove the lockdown by right-clicking the button - this results in another authentication dialog. Anyway, the bottom-line of all this work is that PolkitLockButton and polkit itself is a lot more useful for use-cases where you grant a lot of privilege to certain roles [1]. Use-case: - Alice (the head of a household) puts users Bob and Carlos (her adolescent kids) into the desktop_user_r role (ideally using something like [2]). Alice herself is in desktop_admin_r along with her husband Dave (no relation to me, I'm just using names from [3]). - Users in the desktop_user_r role gets a lot of privileges for free - say, including the privilege to install trusted software (e.g. software signed by a trusted party, e.g. Fedora or Debian or whatever) without having to authenticate - Alice is unhappy that Bob and Carlos installs a lot of crap on the home machine and that they're falling behind in school. Alice goes into into "System->Administration->Add/Remove Software" [4]. She clicks the Lock with the title saying "Click to lock down", authenticates as the administrator (by authenticating as herself) and now only users in desktop_admin_r (Alice and Dave) can install new software. This is of course just an example, I'm not sure Richard wants to add this patch or if it's compatible with how PackageKit works. And maybe if Richard wants to do the UI in a different way (say, a checkbox in a preference dialog) he can do just that by invoking pklalockdown(1) himself. The point here, really, is that instead of really poor and crappy UI like this http://people.freedesktop.org/~david/polkit-gnome-authorizations.png we now make it extremely easy to lock down each application in a secure manner. And, more importantly, we make it easy to do it _from_ the application, no some crappy UI. Feedback welcome. Thanks, David [1] : "Roles and Policy" mail: https://www.redhat.com/archives/fedora-desktop-list/2009-August/msg00103.html [2] : "A new user management tool" mail: https://www.redhat.com/archives/fedora-desktop-list/2008-May/msg00006.html [3] : Alice and Bob http://en.wikipedia.org/wiki/Alice_and_Bob [4] : Screenshot of PackageKit's Add/Remove Software: http://people.freedesktop.org/~david/Screenshot-Add-Remove%20Software.png _______________________________________________ polkit-devel mailing list polkit-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/polkit-devel
