Could someone help me with writing polkit rule?
Hello All! I 'm trying to write a polkit rule which allows every member of a particular group (ejabberd) to run a specific script (/sbin/ejabberdctl or /usr/sbin/ejabberdctl). Other users should not be even able to run it. This sounds simple, so I quickly wrote this: http://peter.fedorapeople.org/stuff/ejabberdctl.polkit.rules I installed it to %{_datadir}/polkit-1/rules.d/51-ejabberdctl.rules, and added /usr/bin/ejabberdctl which contains just the following: === #!/bin/sh /usr/bin/pkexec /usr/sbin/ejabberdctl $@ === So when user types ejabberdctl it actually runs /usr/sbin/ejabberdctl under the polkit supervision. Unfortunately people started reporting about the issues with the other apps: * https://bugzilla.redhat.com/show_bug.cgi?id=1009408 I can't find what's wrong with the rule above so I'm calling you for help. Could please someone help me fixing this mess? -- With best regards, Peter Lemenkov. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Could someone help me with writing polkit rule?
It is some time ago it was fighting with polkit, but as far is I remember you have to make a .policy file to get pkexec to work right Like this one I use in yumex. https://github.com/timlau/yumex/blob/master/misc/dk.yumex.backend.policy.in It should be installed in /usr/share/polkit-1/actions/ When you can make a rule to bypass the polkit password prompt Tim PS. You can use *cat /var/log/secure | grep polkit * to look for errors On Fri, Oct 25, 2013 at 11:22 AM, Peter Lemenkov lemen...@gmail.com wrote: Hello All! I 'm trying to write a polkit rule which allows every member of a particular group (ejabberd) to run a specific script (/sbin/ejabberdctl or /usr/sbin/ejabberdctl). Other users should not be even able to run it. This sounds simple, so I quickly wrote this: http://peter.fedorapeople.org/stuff/ejabberdctl.polkit.rules I installed it to %{_datadir}/polkit-1/rules.d/51-ejabberdctl.rules, and added /usr/bin/ejabberdctl which contains just the following: === #!/bin/sh /usr/bin/pkexec /usr/sbin/ejabberdctl $@ === So when user types ejabberdctl it actually runs /usr/sbin/ejabberdctl under the polkit supervision. Unfortunately people started reporting about the issues with the other apps: * https://bugzilla.redhat.com/show_bug.cgi?id=1009408 I can't find what's wrong with the rule above so I'm calling you for help. Could please someone help me fixing this mess? -- With best regards, Peter Lemenkov. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Could someone help me with writing polkit rule?
2013/10/25 tim.laurid...@gmail.com tim.laurid...@gmail.com: It is some time ago it was fighting with polkit, but as far is I remember you have to make a .policy file to get pkexec to work right Like this one I use in yumex. https://github.com/timlau/yumex/blob/master/misc/dk.yumex.backend.policy.in It should be installed in /usr/share/polkit-1/actions/ When you can make a rule to bypass the polkit password prompt Do I need both - /usr/share/polkit-1/actions/*.policy and /usr/share/polkit-1/rules.d/*.rules ? -- With best regards, Peter Lemenkov. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Could someone help me with writing polkit rule?
On 25 October 2013 11:22, Peter Lemenkov lemen...@gmail.com wrote: Hello All! I 'm trying to write a polkit rule which allows every member of a particular group (ejabberd) to run a specific script (/sbin/ejabberdctl or /usr/sbin/ejabberdctl). Other users should not be even able to run it. This sounds simple, so I quickly wrote this: http://peter.fedorapeople.org/stuff/ejabberdctl.polkit.rules I am not an expert on javascript or polkit, but IINM the second if rule has wrong syntax, it should be: if( subject.isInGroup(ejabberd) ) { return polkit.Result.YES; } also, it doesn't need an else bit. I think you can merge the second if with the first one: polkit.addRule(function(action, subject) { var CommandLine = action.lookup(command_line).split( ); if ( action.id == org.freedesktop.policykit.exec (CommandLine[0] == /sbin/ejabberdctl || CommandLine[0] == /usr/sbin/ejabberdctl) subject.isInGroup(ejabberd) ) { return polkit.Result.YES; } }); (I could be very wrong though). I installed it to %{_datadir}/polkit-1/rules.d/51-ejabberdctl.rules, and added /usr/bin/ejabberdctl which contains just the following: === #!/bin/sh /usr/bin/pkexec /usr/sbin/ejabberdctl $@ === So when user types ejabberdctl it actually runs /usr/sbin/ejabberdctl under the polkit supervision. Unfortunately people started reporting about the issues with the other apps: * https://bugzilla.redhat.com/show_bug.cgi?id=1009408 I can't find what's wrong with the rule above so I'm calling you for help. Could please someone help me fixing this mess? -- With best regards, Peter Lemenkov. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- Ahmad Samir -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Could someone help me with writing polkit rule?
Yes, I think so The policy is to config pkexec to run something as root The rule is to make the group get permission without having to enter a root/admin password Tim On Fri, Oct 25, 2013 at 2:08 PM, Peter Lemenkov lemen...@gmail.com wrote: 2013/10/25 tim.laurid...@gmail.com tim.laurid...@gmail.com: It is some time ago it was fighting with polkit, but as far is I remember you have to make a .policy file to get pkexec to work right Like this one I use in yumex. https://github.com/timlau/yumex/blob/master/misc/dk.yumex.backend.policy.in It should be installed in /usr/share/polkit-1/actions/ When you can make a rule to bypass the polkit password prompt Do I need both - /usr/share/polkit-1/actions/*.policy and /usr/share/polkit-1/rules.d/*.rules ? -- With best regards, Peter Lemenkov. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct