Bug 25367 - Also read local authority configuration data from /etc
Summary: Also read local authority configuration data from /etc
Status: RESOLVED FIXED
Alias: None
Product: PolicyKit
Classification: Unclassified
Component: libpolkit (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: David Zeuthen (not reading bugmail)
QA Contact: David Zeuthen (not reading bugmail)
URL:
Whiteboard:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2009-11-30 10:54 UTC by Matthew Miller
Modified: 2010-01-10 07:11 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:

Attachments
patch against git tree (as of nov 13) (3.30 KB, patch)
2009-11-30 10:54 UTC, Matthew Miller 		Details | Splinter Review
View All

Description Matthew Miller 2009-11-30 10:54:37 UTC 
Created attachment 31607 [details] [review]
patch against git tree (as of nov 13)

As discussed on the mailing list: http://lists.freedesktop.org/archives/polkit-devel/2009-November/000258.html

Patch adds support for reading from /etc/security/polkit-1/localauthority/* (while leaving /var/lib/polkit-1/localauthority for compatibility).
Comment 1 Matthew Miller 2009-11-30 10:55:21 UTC 
Note there's also a corresponding patch for the Fedora specfile at https://bugzilla.redhat.com/attachment.cgi?id=373474 .
Comment 2 David Zeuthen (not reading bugmail) 2009-11-30 11:35:11 UTC 
(In reply to comment #0)
> Created an attachment (id=31607) [details]
> patch against git tree (as of nov 13)
> 
> As discussed on the mailing list:
> http://lists.freedesktop.org/archives/polkit-devel/2009-November/000258.html
> 
> Patch adds support for reading from /etc/security/polkit-1/localauthority/*

The pklocalauthority man page needs patching to mention both locations and how to choose which one to use

 - use /etc for files that are local to the machine
   (typically not under package manager control)

 - use /var for files that are not local to the machine
   (typically under package manager control)

(One possibly nice (or, maybe, rather disgusting) thing here is that people can mount e.g. NFS on top of /var/lib/polkit-1/localauthority and still retain some degree of per-host configuration.)

Also, the man page needs to be clear about the order of processing (in section "EVALUATION ORDER") - e.g. _all_ files in a directory in /var are consulted before all files in a directory in /etc no matter what the lexicographical ordering is.

(Yes, one curse of documentation is that you need to update it when 

> (while leaving /var/lib/polkit-1/localauthority for compatibility).

It's not for compatibility - see above.

> @@ -507,8 +512,8 @@
>  static gchar *
>  lockdown_get_filename (const gchar *action_id)
>  {
> -  return g_strdup_printf (PACKAGE_LOCALSTATE_DIR
> -                          "/lib/polkit-1/localauthority/90-mandatory.d/"
> +  return g_strdup_printf (PACKAGE_SYSCONF_DIR
> +                          "/security/polkit-1/localauthority/90-mandatory.d/"

I think this should use /var - this is really "application data", not "configuration data". And users shouldn't mess with these files at all - putting them in /etc would be slightly confusing.

Actually, we probably want a 95-lockdown.d directory and have the docs describe that a) this directory is a private implementation detail; b) that it only exists in /var, not in /etc; and c) that the implementation of LockDown in the local authority use it.
Comment 3 David Zeuthen (not reading bugmail) 2009-12-10 11:52:35 UTC 
Fixed with this commit

http://cgit.freedesktop.org/PolicyKit/commit/?id=8e0b9b47d1fc1a4ab6020770e4b3084ddd45b71d

Since we already use /etc/polkit-1, I decided to just use /etc/polkit-1/localauthority instead of /etc/security/polkit-1/localauthority.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.