subject:"Could someone help me with writing polkit rule\?"

Could someone help me with writing polkit rule?

2013-10-25 Thread Peter Lemenkov

Hello All!

I 'm trying to write a polkit rule which allows every member of a
particular group (ejabberd) to run a specific script
(/sbin/ejabberdctl or /usr/sbin/ejabberdctl). Other users should
not be even able to run it. This sounds simple, so I quickly wrote
this:

http://peter.fedorapeople.org/stuff/ejabberdctl.polkit.rules

I installed it to %{_datadir}/polkit-1/rules.d/51-ejabberdctl.rules,
and added /usr/bin/ejabberdctl which contains just the following:

===
#!/bin/sh
/usr/bin/pkexec /usr/sbin/ejabberdctl $@
===

So when user types ejabberdctl it actually runs /usr/sbin/ejabberdctl
under the polkit supervision. Unfortunately people started reporting
about the issues with the other apps:

* https://bugzilla.redhat.com/show_bug.cgi?id=1009408

I can't find what's wrong with the rule above so I'm calling you for
help. Could please someone help me fixing this mess?
-- 
With best regards, Peter Lemenkov.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Could someone help me with writing polkit rule?

2013-10-25 Thread tim.laurid...@gmail.com

It is some time ago it was fighting with polkit, but as far is  I remember
you have to
make a .policy file to get pkexec to work right

Like this one I use in yumex.
https://github.com/timlau/yumex/blob/master/misc/dk.yumex.backend.policy.in

It should be installed in /usr/share/polkit-1/actions/

When you can make a rule to bypass the polkit password prompt

Tim

PS.

You can use *cat /var/log/secure | grep polkit * to look for errors


On Fri, Oct 25, 2013 at 11:22 AM, Peter Lemenkov lemen...@gmail.com wrote:

 Hello All!

 I 'm trying to write a polkit rule which allows every member of a
 particular group (ejabberd) to run a specific script
 (/sbin/ejabberdctl or /usr/sbin/ejabberdctl). Other users should
 not be even able to run it. This sounds simple, so I quickly wrote
 this:

 http://peter.fedorapeople.org/stuff/ejabberdctl.polkit.rules

 I installed it to %{_datadir}/polkit-1/rules.d/51-ejabberdctl.rules,
 and added /usr/bin/ejabberdctl which contains just the following:

 ===
 #!/bin/sh
 /usr/bin/pkexec /usr/sbin/ejabberdctl $@
 ===

 So when user types ejabberdctl it actually runs /usr/sbin/ejabberdctl
 under the polkit supervision. Unfortunately people started reporting
 about the issues with the other apps:

 * https://bugzilla.redhat.com/show_bug.cgi?id=1009408

 I can't find what's wrong with the rule above so I'm calling you for
 help. Could please someone help me fixing this mess?
 --
 With best regards, Peter Lemenkov.
 --
 devel mailing list
 devel@lists.fedoraproject.org
 https://admin.fedoraproject.org/mailman/listinfo/devel
 Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Could someone help me with writing polkit rule?

2013-10-25 Thread Peter Lemenkov

2013/10/25 tim.laurid...@gmail.com tim.laurid...@gmail.com:
 It is some time ago it was fighting with polkit, but as far is  I remember
 you have to
 make a .policy file to get pkexec to work right

 Like this one I use in yumex.
 https://github.com/timlau/yumex/blob/master/misc/dk.yumex.backend.policy.in

 It should be installed in /usr/share/polkit-1/actions/

 When you can make a rule to bypass the polkit password prompt

Do I need both - /usr/share/polkit-1/actions/*.policy and
/usr/share/polkit-1/rules.d/*.rules ?



-- 
With best regards, Peter Lemenkov.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Could someone help me with writing polkit rule?

2013-10-25 Thread Ahmad Samir

On 25 October 2013 11:22, Peter Lemenkov lemen...@gmail.com wrote:
 Hello All!

 I 'm trying to write a polkit rule which allows every member of a
 particular group (ejabberd) to run a specific script
 (/sbin/ejabberdctl or /usr/sbin/ejabberdctl). Other users should
 not be even able to run it. This sounds simple, so I quickly wrote
 this:

 http://peter.fedorapeople.org/stuff/ejabberdctl.polkit.rules


I am not an expert on javascript or polkit, but IINM the second if
rule has wrong syntax, it should be:

if( subject.isInGroup(ejabberd) ) {
return polkit.Result.YES;
}

also, it doesn't need an else bit.


I think you can merge the second if with the first one:

polkit.addRule(function(action, subject) {
var CommandLine = action.lookup(command_line).split( );
if ( action.id == org.freedesktop.policykit.exec  (CommandLine[0]
== /sbin/ejabberdctl || CommandLine[0] == /usr/sbin/ejabberdctl)
 subject.isInGroup(ejabberd) ) {
return polkit.Result.YES;
}
});


(I could be very wrong though).



 I installed it to %{_datadir}/polkit-1/rules.d/51-ejabberdctl.rules,
 and added /usr/bin/ejabberdctl which contains just the following:

 ===
 #!/bin/sh
 /usr/bin/pkexec /usr/sbin/ejabberdctl $@
 ===

 So when user types ejabberdctl it actually runs /usr/sbin/ejabberdctl
 under the polkit supervision. Unfortunately people started reporting
 about the issues with the other apps:

 * https://bugzilla.redhat.com/show_bug.cgi?id=1009408

 I can't find what's wrong with the rule above so I'm calling you for
 help. Could please someone help me fixing this mess?
 --
 With best regards, Peter Lemenkov.
 --
 devel mailing list
 devel@lists.fedoraproject.org
 https://admin.fedoraproject.org/mailman/listinfo/devel
 Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct



-- 
Ahmad Samir
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Could someone help me with writing polkit rule?

2013-10-25 Thread Tim Lauridsen

Yes, I think so
The policy is to config pkexec to run something as root
The rule is to make the group get permission without having to enter a
root/admin password

Tim


On Fri, Oct 25, 2013 at 2:08 PM, Peter Lemenkov lemen...@gmail.com wrote:

 2013/10/25 tim.laurid...@gmail.com tim.laurid...@gmail.com:
  It is some time ago it was fighting with polkit, but as far is  I
 remember
  you have to
  make a .policy file to get pkexec to work right
 
  Like this one I use in yumex.
 
 https://github.com/timlau/yumex/blob/master/misc/dk.yumex.backend.policy.in
 
  It should be installed in /usr/share/polkit-1/actions/
 
  When you can make a rule to bypass the polkit password prompt

 Do I need both - /usr/share/polkit-1/actions/*.policy and
 /usr/share/polkit-1/rules.d/*.rules ?



 --
 With best regards, Peter Lemenkov.
 --
 devel mailing list
 devel@lists.fedoraproject.org
 https://admin.fedoraproject.org/mailman/listinfo/devel
 Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Could someone help me with writing polkit rule?

Re: Could someone help me with writing polkit rule?

Re: Could someone help me with writing polkit rule?

Re: Could someone help me with writing polkit rule?

Re: Could someone help me with writing polkit rule?

5 matches

Site Navigation

Mail list logo

Footer information