file system mount
David Zeuthen
david at fubar.dk
Thu Nov 1 19:55:40 UTC 2007
On Thu, 2007-11-01 at 11:22 -0800, Jeff Spaleta wrote:
> On 11/1/07, David Zeuthen <david at fubar.dk> wrote:
> > http://people.freedesktop.org/~david/polkit-gnome-authorizations.png
> >
> > but the UI is likely to change.
> >
> > Hope this helps.
>
> Is per device policy granting in the works? So that certain disks are
> mountable but others aren't on a user by user basis?
See the last two paragraphs of
http://hal.freedesktop.org/docs/PolicyKit/model-theory-of-operation.html
Basically the way it works right now is that Mechanisms split actions
depending on type. Specifically for hal there's a "fixed" and
"removable" split. For NM there will be "can-dial-to-trusted-number" and
"can-dial-to-untrusted-number"; then the act of making something a
trusted number is some other privileged operation (e.g. trusted numbers
are the ones listed in a file in /etc, whatever, I don't know).
FWIW, we might add functionality later (the API is extensible) such that
PolicyKit can answer questions like
"Is $PROCESS authorized to do $ACTION on $OBJECT on behalf of the user"
(now it's "Is $PROCESS authorized to do $ACTION on behalf of the user")
but right now this isn't there - mainly because there's a ton of
problems in how to sanely describe an object
(/dev/sda? /dev/disk/by-label ? phonenumber? etc.) and also how to build
sane UI around this. Hope this helps.
> -jef"Idle thought: How well does policy granting work with sabayon?"spaleta
Someone just needs to do it. It's more interesting, however, to consider
PolicyKit together with http://freeipa.org/page/Main_Page . As a matter
of fact, I'm already working with the FreeIPA guys on this.
David
More information about the devel
mailing list