PSA: don't make your polkit policies desktop centric

[Nikos Mavrogiannopoulos]

On Mon, 2014-05-05 at 14:21 +0200, Stef Walter wrote:

> >> The <allow_any>no</allow_any> prevents use of the service from remote
> >> sessions such as ssh or Cockpit.
> >>
> >> The poorly named <allow_any> tag controls the default policy for users
> >> logged in from any non-monitor+keyboard session. That is, sessions that
> >> don't come from a 'seat'.
> >>
> >> So unless your service is changing seat specific hardware, you probably
> >> want an <allow_any> tag that is similar or identical to <allow_active>.
> > 
> > Erm, IMHO it should be the same as <allow_inactive>, if something is
> > not allowed to be done from an inactive state (ie from a switched away session
> > with fast user switching) it certainly should also not be allowed to be
> > done over ssh.
> 
> Technically you are correct. The best kind of correct.
> In reality it depends on the service. Some services may want to prevent
> use when inactive (ie: locked screen) simply for UI reasons, not security.

This is not always the case though, as I have a package with a policy
that I intentionally discriminate ssh from active sessions. Maybe it is
better to decide that on a per-package case, and may be better to fill
bugs to the specific packages that you think it doesn't make sense to
have such discrimination. A longer-term solution may be to better
explain the situation in the polkit documentation (if it isn't already -
I didn't check).

Otherwise with a blanket statement like the above we risk introducing
security by-passes where we shouldn't.

regards,
Nikos