Bugzilla – Bug 25367
Also read local authority configuration data from /etc
Last modified: 2010-01-10 07:11:45 UTC
Created attachment 31607 [details] [review]
patch against git tree (as of nov 13)
As discussed on the mailing list: http://lists.freedesktop.org/archives/polkit-devel/2009-November/000258.html
Patch adds support for reading from /etc/security/polkit-1/localauthority/* (while leaving /var/lib/polkit-1/localauthority for compatibility).
Note there's also a corresponding patch for the Fedora specfile at https://bugzilla.redhat.com/attachment.cgi?id=373474 .
(In reply to comment #0)
> Created an attachment (id=31607) [details]
> patch against git tree (as of nov 13)
> As discussed on the mailing list:
> Patch adds support for reading from /etc/security/polkit-1/localauthority/*
The pklocalauthority man page needs patching to mention both locations and how to choose which one to use
- use /etc for files that are local to the machine
(typically not under package manager control)
- use /var for files that are not local to the machine
(typically under package manager control)
(One possibly nice (or, maybe, rather disgusting) thing here is that people can mount e.g. NFS on top of /var/lib/polkit-1/localauthority and still retain some degree of per-host configuration.)
Also, the man page needs to be clear about the order of processing (in section "EVALUATION ORDER") - e.g. _all_ files in a directory in /var are consulted before all files in a directory in /etc no matter what the lexicographical ordering is.
(Yes, one curse of documentation is that you need to update it when
> (while leaving /var/lib/polkit-1/localauthority for compatibility).
It's not for compatibility - see above.
> @@ -507,8 +512,8 @@
> static gchar *
> lockdown_get_filename (const gchar *action_id)
> - return g_strdup_printf (PACKAGE_LOCALSTATE_DIR
> - "/lib/polkit-1/localauthority/90-mandatory.d/"
> + return g_strdup_printf (PACKAGE_SYSCONF_DIR
> + "/security/polkit-1/localauthority/90-mandatory.d/"
I think this should use /var - this is really "application data", not "configuration data". And users shouldn't mess with these files at all - putting them in /etc would be slightly confusing.
Actually, we probably want a 95-lockdown.d directory and have the docs describe that a) this directory is a private implementation detail; b) that it only exists in /var, not in /etc; and c) that the implementation of LockDown in the local authority use it.
Fixed with this commit
Since we already use /etc/polkit-1, I decided to just use /etc/polkit-1/localauthority instead of /etc/security/polkit-1/localauthority.