PSA: don't make your polkit policies desktop centric
Hans de Goede
hdegoede at redhat.com
Mon May 5 11:58:18 UTC 2014
Hi,
On 05/05/2014 11:47 AM, Stef Walter wrote:
> Many of the polkit policy files services ship in Fedora have lines that
> look like this:
>
> <defaults>
> <allow_any>no</allow_any>
> <allow_inactive>no</allow_inactive>
> <allow_active>auth_admin_keep</allow_active>
> </defaults>
>
> The <allow_any>no</allow_any> prevents use of the service from remote
> sessions such as ssh or Cockpit.
>
> The poorly named <allow_any> tag controls the default policy for users
> logged in from any non-monitor+keyboard session. That is, sessions that
> don't come from a 'seat'.
>
> So unless your service is changing seat specific hardware, you probably
> want an <allow_any> tag that is similar or identical to <allow_active>.
Erm, IMHO it should be the same as <allow_inactive>, if something is
not allowed to be done from an inactive state (ie from a switched away session
with fast user switching) it certainly should also not be allowed to be
done over ssh.
Regards,
Hans
More information about the devel
mailing list