On Thu, 2007-11-01 at 11:22 -0800, Jeff Spaleta wrote:
On 11/1/07, David Zeuthen <david(a)fubar.dk> wrote:
> but the UI is likely to change.
> Hope this helps.
Is per device policy granting in the works? So that certain disks are
mountable but others aren't on a user by user basis?
See the last two paragraphs of
Basically the way it works right now is that Mechanisms split actions
depending on type. Specifically for hal there's a "fixed" and
"removable" split. For NM there will be "can-dial-to-trusted-number"
"can-dial-to-untrusted-number"; then the act of making something a
trusted number is some other privileged operation (e.g. trusted numbers
are the ones listed in a file in /etc, whatever, I don't know).
FWIW, we might add functionality later (the API is extensible) such that
PolicyKit can answer questions like
"Is $PROCESS authorized to do $ACTION on $OBJECT on behalf of the user"
(now it's "Is $PROCESS authorized to do $ACTION on behalf of the user")
but right now this isn't there - mainly because there's a ton of
problems in how to sanely describe an object
(/dev/sda? /dev/disk/by-label ? phonenumber? etc.) and also how to build
sane UI around this. Hope this helps.
-jef"Idle thought: How well does policy granting work with
Someone just needs to do it. It's more interesting, however, to consider
PolicyKit together with http://freeipa.org/page/Main_Page
. As a matter
of fact, I'm already working with the FreeIPA guys on this.