On Mon March 12 2012 15:43:52 Martin Vidner wrote:
> On Wed, Feb 22, 2012 at 03:45:18PM +0100, Ladislav Slezak wrote:
> > Dne 22.2.2012 15:25, Lukas Ocilka napsal(a):
> > > ACLs
> > > ----
> > > * Bind to path
> > > * Roles defined as in WebYast
> >
> > BTW, today I came across an interesting polkit feature:
> >
> > org.freedesktop.policykit.imply annotation:
> > "The org.freedesktop.policykit.imply annotation (its value is a string
> > containing a
> >
> > space separated list of action identifiers) can be used to define meta
> > actions. The way it works is that if a subject is authorized for an
> > action with this annotation, then it is also authorized for any action
> > specified by the annotation. A typical use of this annotation is when
> > defining an UI shell with a single lock button that should unlock
> > multiple actions from distinct mechanisms."
> > (See "man polkit")
> >
> > Using this annotations we could easily define high-level roles from
> > low-level actions and it would be transparent for polkit and work with
> > all polkit tools and services (pkaction, pkcheck, DBus service, etc...)
I think that makes a lot of sense. On the one hand policy checks should be very low level for security reasons. On the other hand it's easier to administrate high level roles. The mentioned technologies fits both.
> >
> > The drawback is that it could not be used in WebYaST on SLES (due to the
> > old PolicyKit), we would need a workaround there... :-(
Can we make next SLES (SLE12) to contain the new PolicyKit version? Wouldn't it be good enough if future versions of WebYaST used yast++ with these PolicyKit roles as backend?
> Ah, interesting.
>
> Now, to continue the general discussion, some summary is in this
> file (to which I have added now):
> https://github.com/yast/yast--/blob/master/doc/comparing-policies.txt
>
> To compare with other designs, see the list of polkit actions on your
> system: run "pkaction".
--
Thomas Goettlicher
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer,
HRB 16746 (AG Nürnberg)
Maxfeldstraße 5
90409 Nürnberg
Germany