Bug 25367 - Also read local authority configuration data from /etc
Also read local authority configuration data from /etc
Status: RESOLVED FIXED
Product: PolicyKit
Classification: Unclassified
Component: libpolkit
unspecified
Other All
: medium normal
Assigned To: David Zeuthen (not reading bugmail)
David Zeuthen (not reading bugmail)
: patch
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-11-30 10:54 UTC by Matthew Miller
Modified: 2010-01-10 07:11 UTC (History)
2 users (show)

See Also:


Attachments
patch against git tree (as of nov 13) (3.30 KB, patch)
2009-11-30 10:54 UTC, Matthew Miller
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Miller 2009-11-30 10:54:37 UTC
Created attachment 31607 [details] [review]
patch against git tree (as of nov 13)

As discussed on the mailing list: http://lists.freedesktop.org/archives/polkit-devel/2009-November/000258.html

Patch adds support for reading from /etc/security/polkit-1/localauthority/* (while leaving /var/lib/polkit-1/localauthority for compatibility).
Comment 1 Matthew Miller 2009-11-30 10:55:21 UTC
Note there's also a corresponding patch for the Fedora specfile at https://bugzilla.redhat.com/attachment.cgi?id=373474 .
Comment 2 David Zeuthen (not reading bugmail) 2009-11-30 11:35:11 UTC
(In reply to comment #0)
> Created an attachment (id=31607) [details]
> patch against git tree (as of nov 13)
> 
> As discussed on the mailing list:
> http://lists.freedesktop.org/archives/polkit-devel/2009-November/000258.html
> 
> Patch adds support for reading from /etc/security/polkit-1/localauthority/*

The pklocalauthority man page needs patching to mention both locations and how to choose which one to use

 - use /etc for files that are local to the machine
   (typically not under package manager control)

 - use /var for files that are not local to the machine
   (typically under package manager control)

(One possibly nice (or, maybe, rather disgusting) thing here is that people can mount e.g. NFS on top of /var/lib/polkit-1/localauthority and still retain some degree of per-host configuration.)

Also, the man page needs to be clear about the order of processing (in section "EVALUATION ORDER") - e.g. _all_ files in a directory in /var are consulted before all files in a directory in /etc no matter what the lexicographical ordering is.

(Yes, one curse of documentation is that you need to update it when 

> (while leaving /var/lib/polkit-1/localauthority for compatibility).

It's not for compatibility - see above.

> @@ -507,8 +512,8 @@
>  static gchar *
>  lockdown_get_filename (const gchar *action_id)
>  {
> -  return g_strdup_printf (PACKAGE_LOCALSTATE_DIR
> -                          "/lib/polkit-1/localauthority/90-mandatory.d/"
> +  return g_strdup_printf (PACKAGE_SYSCONF_DIR
> +                          "/security/polkit-1/localauthority/90-mandatory.d/"

I think this should use /var - this is really "application data", not "configuration data". And users shouldn't mess with these files at all - putting them in /etc would be slightly confusing.

Actually, we probably want a 95-lockdown.d directory and have the docs describe that a) this directory is a private implementation detail; b) that it only exists in /var, not in /etc; and c) that the implementation of LockDown in the local authority use it.
Comment 3 David Zeuthen (not reading bugmail) 2009-12-10 11:52:35 UTC
Fixed with this commit

http://cgit.freedesktop.org/PolicyKit/commit/?id=8e0b9b47d1fc1a4ab6020770e4b3084ddd45b71d

Since we already use /etc/polkit-1, I decided to just use /etc/polkit-1/localauthority instead of /etc/security/polkit-1/localauthority.