Bug 57284

Summary: Use auth_admin* instead of auth_self* in examples
Product: PolicyKit Reporter: Miloslav Trmac <mitr>
Component: libpolkitAssignee: David Zeuthen (not reading bugmail) <zeuthen>
Status: RESOLVED FIXED QA Contact: David Zeuthen (not reading bugmail) <zeuthen>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Use auth_admin* instead of auth_self* in examples.
0001-More-warnings-about-using-auth_self.patch

Description Miloslav Trmac 2012-11-19 17:12:44 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=878112
Comment 1 Miloslav Trmac 2013-02-14 14:02:30 UTC 
Created attachment 74817 [details] [review]
Use auth_admin* instead of auth_self* in examples.

From time to time, application developers just copy example configuration without examining it in details.  Because polkit is typically used to control access to system-level operations, the policy (and therefore the examples) should limit access to system administrators only.

In particular, examples should show auth_admin* instead of auth_self*.

Past instances of problems caused by incorrectly using auth_self*:
https://bugzilla.redhat.com/show_bug.cgi?id=878115
https://bugzilla.redhat.com/show_bug.cgi?id=878102
http://git.fedorahosted.org/cgit/system-config-users.git/commit/?id=8abd89064889723e9e6f33fdeea8e02e935500c9
and at least one other.
Comment 2 Colin Walters 2013-04-12 16:53:16 UTC 
Comment on attachment 74817 [details] [review]
Use auth_admin* instead of auth_self* in examples.

Review of attachment 74817 [details] [review]:
-----------------------------------------------------------------

If it's that much of a trap, maybe the overview.xml should attempt to warn about this inline; something like:

Note that for <type>GtkLockButton</type> to work well, the
polkit action backing it should use <literal>auth_admin_keep</literal> (or
more rarely <literal>auth_self_keep</literal> for services which don't
affect other users).

Or maybe even better add a ulink to polkit.8 man page and explain a bit more in depth
why this is a bad idea there?

This doesn't block this patch going in, just suggestions for improvements.
Comment 3 Miloslav Trmac 2013-04-18 19:16:08 UTC 
Created attachment 78193 [details] [review]
0001-More-warnings-about-using-auth_self.patch

(In reply to comment #2)
> If it's that much of a trap, maybe the overview.xml should attempt to warn
> about this inline; something like:
> 
> Note that for <type>GtkLockButton</type> to work well, the
> polkit action backing it should use <literal>auth_admin_keep</literal> (or
> more rarely <literal>auth_self_keep</literal> for services which don't
> affect other users).
> 
> Or maybe even better add a ulink to polkit.8 man page and explain a bit more
> in depth
> why this is a bad idea there?

Thanks for the suggestions, the attached patch incorporates them (and adds even more warnings to the "writing polkit applications" section).
Comment 4 Colin Walters 2013-05-06 17:45:27 UTC 
Comment on attachment 78193 [details] [review]
0001-More-warnings-about-using-auth_self.patch

Review of attachment 78193 [details] [review]:
-----------------------------------------------------------------

Looks good to me.
Comment 5 Miloslav Trmac 2013-05-06 17:53:12 UTC 
Thanks, applied.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.