Proposal for Fedora - "GKSUDO"
David Zeuthen
david at fubar.dk
Thu Dec 6 23:01:35 UTC 2007
On Thu, 2007-12-06 at 13:57 -0900, Jeff Spaleta wrote:
> On Dec 6, 2007 1:38 PM, David Zeuthen <david at fubar.dk> wrote:
> > to grant the_wife the authorization to always run system-config-display.
>
> Not to imply that my wife doesn't deserve to have all of her action
> authorization grants to be manipulated by hand...but if I had to do
> this manually for ALL my wives that's a pretty time-consuming and
> unnecessarily repetitive.
>
> We'll we have access to a set of pre-defined roles that can be
> re-applied to multiple users to grant a number of common actions based
> on expected usage patterns?
Sure, that's supported already. An authorization comes with a .policy
file that defines the defaults
http://hal.freedesktop.org/docs/PolicyKit/polkit-conf.html#conf-declaring-actions
The key here to pay attention to is <allow_active>. If it's 'yes' then a
user in an active session on the local console is implicitly authorized.
No stupid authentication dialogs. You can tweak that with
http://people.freedesktop.org/~david/polkitg-auth-2.png
and polkit-action(1)
http://hal.freedesktop.org/docs/PolicyKit/polkit-action.1.html
e.g., you can specify whether for the given action
- Require an administrator to authenticate
- Require the user to authenticate
and you can specify whether the gained authorization can be kept
forever, for the session, for the life time of the process using it or
whether it can only be used a single time. The user can even opt out;
see the various auth dialogs here
http://hal.freedesktop.org/docs/PolicyKit-gnome/ref-auth-daemon.html
All this landed in Rawhide today so go get PolicyKit 0.7 and
PolicyKit-gnome 0.7 and play around with it (the GTK+ program is in
System->Preferences->System->Authorizations)
David
More information about the devel
mailing list