Matthias Clasen schrieb:
On Sun, 2007-12-09 at 19:45 +0100, shrek-m(a)gmx.de wrote:
> i was playing with
> $ polkit-gnome-authorization
>
> i added one user and blocked an other,
> now none can edit the "org.pulseaudio high-priority-scheduling"
> because it crashes.
>
That is simply a bug. I gave David a fix for it; I hope he manages to
push out a fixed build soon. In the meantime, you can use
polkit-auth --revoke
to remove the explicit grants that are causing the problem.
ok, i will wait and see ...
> root (local X) can not edit the policies
> a tool for sysadmins but root can not use it ?
>
What is the problem with using it as root (apart from the aforementioned
bug) ?
the gui does not crash as root but absolutely no authorization was
displayed as root.
the gui (local gnome-terminal `su -`) for root:
all is "greyed out", root can change nothing (block, grant, revoke, modify)
the gui (`ssh -Y user@rawhide` ; `su -`) for root:
all is "greyed out", root can change nothing (block, grant, revoke, modify)
# polkit-auth --user admin --explicit (granted:pulseaudio)
displayed the authorization
"revoke" was possible
# polkit-auth --user test --explicit (blocked:pulseaudio)
nothing is displayed but the blocked:authorization must exist because
the warning does not pop up for "test" but for "admin"
i have to use
# polkit-auth --user test --explicit-details
ok, now i see the details
but "revoke" seems to be useless.
all in all: it seems to me that the gui and tui need some work.
> one more tool for a sysadmin to check and to manage ?
>
How much checking and managing you want to do depends on your personal
preferences. At least there is a tool, which is more than consolehelper
ever achieved...
i could not find the possibility to add groups.
# rm /usr/share/PolicyKit/policy/PulseAudio.policy
could be a possibility to remove the annoying pulseaudio warnings for
all users
before i have to give all users the root-password :)
can you import/export/clone policies over the network?
can PolicyKit manage users/groups/worksations in a lan? (central backend
on a server)
userA@wsA == userA@wsB != userA@wsC
> a user can not edit via ssh X11forwarding ?
Should work, what problem are you seeing ?
`ssh -Y user@rawhide` ; gnome-terminal :
the gui for unprivileged users "admin" or "test"
the user can _only_block_himself_ but nothing else, the rest is
"greyed out".
local-X-session, gnome-terminal :
the gui for unprivileged users "admin" or "test"
_all_is_ok_ and both can block, grant, modify
but the given authorizations are not displayed.
in the gnome-terminal i can see warnings eg. "already exist" but not if
it was sucessfully.
not really usefull :((
> no possibilty to disable it like selinux ?
>
What do you mean by that ? Blindly allowing every privileged operation
for everybody ? Or denying it for everybody ?
--
shrek-m