Mailinglist Archive: yast-devel (25 mails)

< Previous Next >
Re: [yast-devel] YaST++ policies/ACLs
On Mon March 12 2012 15:43:52 Martin Vidner wrote:
On Wed, Feb 22, 2012 at 03:45:18PM +0100, Ladislav Slezak wrote:
Dne 22.2.2012 15:25, Lukas Ocilka napsal(a):
* Bind to path
* Roles defined as in WebYast

BTW, today I came across an interesting polkit feature:

org.freedesktop.policykit.imply annotation:
"The org.freedesktop.policykit.imply annotation (its value is a string
containing a

space separated list of action identifiers) can be used to define meta
actions. The way it works is that if a subject is authorized for an
action with this annotation, then it is also authorized for any action
specified by the annotation. A typical use of this annotation is when
defining an UI shell with a single lock button that should unlock
multiple actions from distinct mechanisms."
(See "man polkit")

Using this annotations we could easily define high-level roles from
low-level actions and it would be transparent for polkit and work with
all polkit tools and services (pkaction, pkcheck, DBus service, etc...)
I think that makes a lot of sense. On the one hand policy checks should be
very low level for security reasons. On the other hand it's easier to
administrate high level roles. The mentioned technologies fits both.

The drawback is that it could not be used in WebYaST on SLES (due to the
old PolicyKit), we would need a workaround there... :-(
Can we make next SLES (SLE12) to contain the new PolicyKit version? Wouldn't
it be good enough if future versions of WebYaST used yast++ with these
PolicyKit roles as backend?

Ah, interesting.

Now, to continue the general discussion, some summary is in this
file (to which I have added now):

To compare with other designs, see the list of polkit actions on your
system: run "pkaction".

Thomas Goettlicher
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer,
HRB 16746 (AG Nürnberg)
Maxfeldstraße 5
90409 Nürnberg
< Previous Next >
Follow Ups