PSA: don't make your polkit policies desktop centric
Stef Walter
stefw at redhat.com
Mon May 5 09:47:42 UTC 2014
Many of the polkit policy files services ship in Fedora have lines that
look like this:
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
The <allow_any>no</allow_any> prevents use of the service from remote
sessions such as ssh or Cockpit.
The poorly named <allow_any> tag controls the default policy for users
logged in from any non-monitor+keyboard session. That is, sessions that
don't come from a 'seat'.
So unless your service is changing seat specific hardware, you probably
want an <allow_any> tag that is similar or identical to <allow_active>.
For example:
<allow_any>auth_admin</allow_any>
If you think this is confusing ... it's because it is.
Documentation here:
http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
Some bugs and patches filed here:
https://bugzilla.redhat.com/show_bug.cgi?id=1094121
Cheers,
Stef
More information about the devel
mailing list