Bug 25367

Summary: Also read local authority configuration data from /etc
Product: PolicyKit Reporter: Matthew Miller <mattdm>
Component: libpolkitAssignee: David Zeuthen (not reading bugmail) <zeuthen>
Status: RESOLVED FIXED QA Contact: David Zeuthen (not reading bugmail) <zeuthen>
Severity: normal    
Priority: medium CC: amcnabb, Laurent.Rineau__fedora_fd.org
Version: unspecifiedKeywords: patch
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: patch against git tree (as of nov 13)

Description Matthew Miller 2009-11-30 10:54:37 UTC
Created attachment 31607 [details] [review]
patch against git tree (as of nov 13)

As discussed on the mailing list: http://lists.freedesktop.org/archives/polkit-devel/2009-November/000258.html

Patch adds support for reading from /etc/security/polkit-1/localauthority/* (while leaving /var/lib/polkit-1/localauthority for compatibility).
Comment 1 Matthew Miller 2009-11-30 10:55:21 UTC
Note there's also a corresponding patch for the Fedora specfile at https://bugzilla.redhat.com/attachment.cgi?id=373474 .
Comment 2 David Zeuthen (not reading bugmail) 2009-11-30 11:35:11 UTC
(In reply to comment #0)
> Created an attachment (id=31607) [details]
> patch against git tree (as of nov 13)
> 
> As discussed on the mailing list:
> http://lists.freedesktop.org/archives/polkit-devel/2009-November/000258.html
> 
> Patch adds support for reading from /etc/security/polkit-1/localauthority/*

The pklocalauthority man page needs patching to mention both locations and how to choose which one to use

 - use /etc for files that are local to the machine
   (typically not under package manager control)

 - use /var for files that are not local to the machine
   (typically under package manager control)

(One possibly nice (or, maybe, rather disgusting) thing here is that people can mount e.g. NFS on top of /var/lib/polkit-1/localauthority and still retain some degree of per-host configuration.)

Also, the man page needs to be clear about the order of processing (in section "EVALUATION ORDER") - e.g. _all_ files in a directory in /var are consulted before all files in a directory in /etc no matter what the lexicographical ordering is.

(Yes, one curse of documentation is that you need to update it when 

> (while leaving /var/lib/polkit-1/localauthority for compatibility).

It's not for compatibility - see above.

> @@ -507,8 +512,8 @@
>  static gchar *
>  lockdown_get_filename (const gchar *action_id)
>  {
> -  return g_strdup_printf (PACKAGE_LOCALSTATE_DIR
> -                          "/lib/polkit-1/localauthority/90-mandatory.d/"
> +  return g_strdup_printf (PACKAGE_SYSCONF_DIR
> +                          "/security/polkit-1/localauthority/90-mandatory.d/"

I think this should use /var - this is really "application data", not "configuration data". And users shouldn't mess with these files at all - putting them in /etc would be slightly confusing.

Actually, we probably want a 95-lockdown.d directory and have the docs describe that a) this directory is a private implementation detail; b) that it only exists in /var, not in /etc; and c) that the implementation of LockDown in the local authority use it.
Comment 3 David Zeuthen (not reading bugmail) 2009-12-10 11:52:35 UTC
Fixed with this commit

http://cgit.freedesktop.org/PolicyKit/commit/?id=8e0b9b47d1fc1a4ab6020770e4b3084ddd45b71d

Since we already use /etc/polkit-1, I decided to just use /etc/polkit-1/localauthority instead of /etc/security/polkit-1/localauthority.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.