tag:blogger.com,1999:blog-5268847417417953349.post8852023476118532215..comments2024-02-11T03:28:39.770-05:00Comments on inactivity log for davidz: Authorization Rules in polkitdavidzhttp://www.blogger.com/profile/18166813552495508964noreply@blogger.comBlogger25125tag:blogger.com,1999:blog-5268847417417953349.post-53522665363307074092023-05-07T16:38:56.022-04:002023-05-07T16:38:56.022-04:00I tried to read your common-sense advice and here ...I tried to read your common-sense advice and here is what I got: "Usługa Google+ nie jest już dostępna"Unknownhttps://www.blogger.com/profile/07659270566129809287noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-80102246265275441912023-05-07T16:37:06.327-04:002023-05-07T16:37:06.327-04:00I did and found nothing. Then I asked Bing and it...I did and found nothing. Then I asked Bing and it answered: pam.conf is Turing-complete because it loads arbitrary dynamic libraries in configuration files. You are comparing apples to oranges here.Unknownhttps://www.blogger.com/profile/07659270566129809287noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-12650491541945994142021-06-02T13:22:33.453-04:002021-06-02T13:22:33.453-04:00This comment has been removed by the author.shenlebantongyinghttps://www.blogger.com/profile/12096363259568939247noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-103010933975326382016-11-09T12:39:38.611-05:002016-11-09T12:39:38.611-05:00Can external files be accesed by polkit for dynami...Can external files be accesed by polkit for dynamic polkit rules please say a method for dynamic polkit ruleAnonymoushttps://www.blogger.com/profile/12897018095064891429noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-88662208223512140772016-10-19T13:31:52.419-04:002016-10-19T13:31:52.419-04:00This comment has been removed by the author.Anonymoushttps://www.blogger.com/profile/12897018095064891429noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-23220268454554996452013-09-30T12:34:36.907-04:002013-09-30T12:34:36.907-04:00Thank you ever so much for ripping out the simple ...Thank you ever so much for ripping out the simple configuration language that I was using for a dozen or so .pkla files and replacing it with (nigh-unreadable) JavaScript -- a language most sysadmins are unfamiliar with -- and picking a JavaScript implementation with a wildly unstable ABI and API, and then piling security fixes and API changes on top of that so that everyone is forced to upgrade. This will be *ever* so much fun for everyone.<br /><br />This was a very, very bad decision. What on earth were you thinking? Every single aspect of this was badly thought out. And I speak as an Emacs user who loves Turing-complete languages in configuration files.<br /><br />Are you *trying* to force distros to fork PolicyKit?Nick Alcockhttps://www.blogger.com/profile/06590610308528769844noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-86693610123019967792013-03-21T08:36:21.233-04:002013-03-21T08:36:21.233-04:00Thanks drecaise , Your solution worked for me and ...Thanks drecaise , Your solution worked for me and now i am able to access virt-manager using polkit authentication. Niranjanhttps://www.blogger.com/profile/11486464928049696337noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-70303402878982532662013-03-21T05:27:55.151-04:002013-03-21T05:27:55.151-04:00Hi Niranjan,
I know nothing about polkit but was ...Hi Niranjan,<br /><br />I know nothing about polkit but was figuring it out for what you are trying to achieve.<br /><br />The polkit.addAuthorizationRule function shouldn't that just be "polkit.addRule"?<br /><br />and the "libvirt.unix.manage" shouldn't that be "org.libvirt.unix.manage"?<br /><br />I also believe it's action.id not action<br /><br />and in your if statement the second part after the OR condition should contain the action.id again<br /><br />And you should return a polkit.Result value so not just "yes" but polkit.Result.YES<br /><br />So you end up with something like:<br />polkit.addRule(function(action, subject) {<br />polkit.log("action=" + action);<br />polkit.log("subject=" + subject);<br />polkit.log("now=" + now)<br />var now = new Date();<br />polkit.log("now=" + now);<br /> if (action.id == "org.libvirt.unix.manage" || action.id == "org.libvirt.unix.monitor" &&<br /> subject.isInGroup("virt")) {<br /> return polkit.Result.YES;<br /> }<br /> }<br />);<br /><br />drecaisehttps://www.blogger.com/profile/12343725439460950400noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-49450712608063910942013-03-19T16:30:33.714-04:002013-03-19T16:30:33.714-04:00Hi could you help me setup polkit authorization to...Hi could you help me setup polkit authorization to access libvirt (to do virtmanagement) by local users. In the earlier versions, I was able to achieve by doing below:<br /><br />[Remote libvirt SSH access]<br />Identity=unix-group:virt<br />Action=org.libvirt.unix.manage;org.libvirt.unix.monitor<br />ResultAny=yes<br />ResultInactive=yes<br />ResultActive=yes<br /><br /><br />I would like to achieve the same in Fedora 18, i tried using below script <br /><br />[root@dhcp201-167 ~]# cat /etc/polkit-1/rules.d/10.virt.rules <br />polkit.addAuthorizationRule(function(action, subject) {<br />polkit.log("action=" + action);<br />polkit.log("subject=" + subject);<br />polkit.log("now=" + now)<br />var now = new Date();<br />polkit.log("now=" + now);<br />if (action == "libvirt.unix.manage" || "org.libvirt.unix.monitor" && subject.isInGroup("virt")) {<br />return yes;<br />}<br />return null;<br />});<br /><br />but doesn't seem to work <br /><br />can you post some more example for the above scenario <br /><br />Thanks<br />Niranjanhttps://www.blogger.com/profile/11486464928049696337noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-68500257281066653142013-01-31T07:56:35.980-05:002013-01-31T07:56:35.980-05:00"but since I have about 0% experience with it..."but since I have about 0% experience with it I decided to go for JS instead."<br /><br />When the only tool you have is a hammer, every problem looks like a nail.<br /><br />JS, seriously? How about learning to use the proper tool?<br /><br />I can only see drawbacks of using JS instead of Lua here.<br />Natanaelhttps://www.blogger.com/profile/04951315131701559383noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-36268915961200309612012-10-02T08:49:31.400-04:002012-10-02T08:49:31.400-04:00I don't have time to loose with the login of t...I don't have time to loose with the login of this site. I am dominique_71 on the gentoo forum link above, Dominique Michel is my real name.<br /><br />You can thing I am foolish, but I am not. At my work, it use a mix of windows and unix, and I have no access at all at the administration level. That imply than I am using linux exclusively at home, and that back from my 386 box. My first decent PC was an Amiga 2000, and this box is my reference even today: The OS was simple to use, simple to administrate, very efficient due the proximity of its unique toolkit with the hardware level, very stable for desktop use, very easy to program.<br /><br />If I understand very well the need of large corporations for tools like *kit in a modern environment, what I just don't get is: Why the linux community can be enough naive to accept stuffs like that, programs needed only by large companies which, because of their complexity and opacity, remove the essence of free software - freedom of choice - to the average joe user!<br /><br />I just have, like many joe users, better things to do than learning a language like JS, that in order to get permissions to do things to work, things that can work another and much simpler way for me. So, *kit will always be, for me, not only unnecessary, but also something that is unmanageable. So, 2 good reasons why I don't want to install and use it.<br /><br />It is more: This is sad because a lot of efforts have been spend in order to lower the level entry of GNU/linux for the average joe user for its desktop. A program like *kit is following exactly the inverse path. Which joe user want to learn JS if it is not interested by web development? No one! <br /><br />The consequence is than a lot of desktop users are running X as root, that just in order to get things like "when I plug-in an USB disk, I want to be able to access it automatically" to work. So, GNU/linux is becoming like windows for many desktop users: unmanageable. And this is exactly the inverse of what GNU/linux is globally expected to become on the long run.<br /><br />To resume, *kit is making simple things so complex than it remove the essence of free software - freedom of choice - to the average user, and make much easier to sell a support-contract (just ask Microsoft).<br /><br />For the sys admins, JS is a totally different language to shell, C, awk or anything most admins are used to, making it to require an investment of time that most good admins don't have, over a significant retraining period, and in the meantime you're looking at less reliability, and less security, since you're not really sure what the implications of everything you're doing are. Unknownhttps://www.blogger.com/profile/05708491344613488724noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-59773827801301366432012-09-28T17:42:33.915-04:002012-09-28T17:42:33.915-04:00Could you at least provide an easy to set option t...Could you at least provide an easy to set option that will just disable the whole thing, but let the user that doesn't want to use this thing, to install and use programs that depend on it?<br /><br />As example, with pulse audio, by editing a single line into one configuration file, pulseaudio will never start, and the audio programs will use ALSA or jack instead.Unknownhttps://www.blogger.com/profile/05708491344613488724noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-61587158984894546842012-09-28T13:39:22.564-04:002012-09-28T13:39:22.564-04:00You should learn and experiment with udev instead ...You should learn and experiment with udev instead of forcing users to use a language, JS, than nobody want to use for system administration.<br /><br />http://forums.gentoo.org/viewtopic-t-933724.html and a ton of other similar forum threads elsewhere!Unknownhttps://www.blogger.com/profile/05708491344613488724noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-90163144944572181362012-07-15T08:00:14.903-04:002012-07-15T08:00:14.903-04:00from man polkit:
Each function should return a va...from man polkit:<br /><br />Each function should return a value from polkit.Result<br /><br /> polkit.Result = {<br /> NO : "no",<br /> YES : "yes",<br /> AUTH_SELF : "auth_self",<br /> AUTH_SELF_KEEP : "auth_self_keep",<br /> AUTH_ADMIN : "auth_admin",<br /> AUTH_ADMIN_KEEP : "auth_admin_keep",<br /> NOT_HANDLED : null<br /> };<br /><br />In fact polkit.Result.YES returns nothing:<br /><br />polkit.addRule(function(action, subject) {<br /> if (action.id == "org.freedesktop.udisks.filesystem-mount-system-internal" && subject.isInGroup("wheel")) {<br /> return polkit.Result.YES;<br /> }<br />});<br /><br />Got "Not authorized".<br /><br />return "yes" does the trick.<br /><br />polkit-0.107, gentooAnonymoushttps://www.blogger.com/profile/06667630577845476336noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-24213434258491835952012-07-15T07:34:33.524-04:002012-07-15T07:34:33.524-04:00JS in config? Facepalm.JS in config? Facepalm.Anonymoushttps://www.blogger.com/profile/06667630577845476336noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-44804022596064948412012-07-03T05:26:27.259-04:002012-07-03T05:26:27.259-04:00Hi David,
I have a lot of respect for your coding...Hi David,<br /><br />I have a lot of respect for your coding abilities, but I believe some of the claims that lead to the changes you made might be disputable.<br /><br />First, once I figured out the pkla format I found it to be entirely reasonable. The reasons that caused me anguish initially were tangential to the file format, though.<br /><br />1. Difficulty knowing that pklocalauthority(8) was the documentation I should be looking at to adjust the local policy. I can't recall how I got there (I think google), but even looking in polkit(8) again what it says is "See pklocalauthority(8) for information about the Local Authority - the default authority implementation shipped with PolicyKit." I wouldn't know this means "here's how you adjust the local policy". You've addressed this now by putting the authorization rules documentation directly in polkit(8). This change did not require a major change in the configuration system.<br /><br />2. After getting to pklocalauthority(8), a lot of the documentation is about the unusual directory structure used. There are configuration files under /var and multiple sorted subdirectories in each polkit-1 directory. This seems like unnecessary obfuscation, and you since fixed this with a short section explaining lexical sorting in /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d. This change did not require a major change in the configuration system.<br /><br />3. The description of auth_admin and friends is missing from pklocalauthority(8). Again, this is fixed by documenting the configuration system in polkit(8) and doesn't require a major change.<br /><br />Second, I think your assertion that a programming language is required for your configuration system doesn't match the reality I've seen. I look around /etc and I don't see any other important service that uses a programming language to control it. systemd and udev come to mind. There are quite a few knobs on systemd and they're all managed by a key file just like pkla. I'm not aware than anyone has suggested that a programming language is necessary to achieve the proper policy for systemd or udev, and they likely receive a lot of local tweaking.<br /><br />Finally, I believe the idea that sysadmins want to be using a programming language for configuration could probably use some backing. My experience is that sysadmins want simple declarative statements such as a key file and do not want to be writing a program to configure their systems. Maybe that's incorrect, but I don't think either of us have actually spent any time looking into it.<br /><br />Anyway, my point is that this seems like a whole lot of code churn and interface changes for things that were not the problem in the first place. I could certainly be wrong there and will cope with whatever end up on my system, though. Good luck!Dan Nicholsonhttps://www.blogger.com/profile/17166240687572763911noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-66684721683367745792012-06-06T09:47:49.227-04:002012-06-06T09:47:49.227-04:00John: I briefly did consider lua since (since RPM ...John: I briefly did consider lua since (since RPM relies on it as well, it can be argued it's not an extra dep on RPM-based OSes) but since I have about 0% experience with it I decided to go for JS instead.<br /><br />np237: Sorry that Blogspot is making your life miserable - I don't like the commenting system either.<br /><br />As for "nobody really needs stuff" comment: Oh, I wish that was true (if it was we wouldn't even need polkit at all which would be even better). My experience, however, being on the receiving end of bug reports for a large Linux distributor, clearly indicates otherwise.<br /><br />The main consumer of this, obviously, is the enterprise desktop but don't forget things like KIOSK / lock-down (Internet Cafe, appliance / POS / industrial systems.<br /><br />There's also prior art in this area - look at other mainstream OSes like OS X and Windows - in particular, look at Group Policy which has an overlap with polkit (GP arguably does a lot more).<br /><br />As for your claim that sysadmins know zilch about JS, two comments: First, I don't think that's true (I think you are selling them short) ... even if you know only a little shell or perl or python, JS is not a lot different, in fact it's probably even simpler. The other comment is that often rules will be only a couple of lines, on the level of the examples in polkit(8) man page I linked to.<br /><br />The rest of your comment is mostly the kind of opinionated piece that I had hoped the section "Hmm, OK, but you are bloating Linux anyway. You suck." would avoid. I don't really know how to respond to that.<br /><br />Hope this clarifies. Thanks.davidzhttps://www.blogger.com/profile/18166813552495508964noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-88917951692999258882012-06-05T16:50:49.308-04:002012-06-05T16:50:49.308-04:00Did you consider using lua instead of JS? It is mu...Did you consider using lua instead of JS? It is much lighter and designed for embedding.Johnhttps://www.blogger.com/profile/16607486305553174549noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-37409367223460036582012-06-05T14:44:19.472-04:002012-06-05T14:44:19.472-04:00What I wanted to say is (shorter because blogspot ...What I wanted to say is (shorter because blogspot might eat it again):<br /> - Nobody really needs stuff like “forbid users in a group to do the action xyz” or “don't allow xyz on school nights”. If your sysadmin says he needs this, you need to change the sysadmin, not the configuration system.<br /> - It is better to use a simple configuration system at least *by default*.<br /> - If you really want to allow such stupid things, why not allowing custom configuration through an external program instead of forcing to use a specific API? Simpler design, less lines of code for you.<br /> - Sysadmins don’t know a thing about JavaScript. They work on shell, perl, python, sometimes even C, but JS? Nah.<br /> - Complexity leads to bugs. In security components, bugs lead to security vulnerabilities. Yes, I read what you wrote and I seriously disagree.<br /> - Embedding a JS interpreter? Seriously, regardless of the rest, WTF? Wasn’t the gnome-shell/gnome-games experiments enough to tell this is a bad idea?<br /> - Blogspot is really pissing me off.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-85746667007875594982012-06-05T14:37:37.919-04:002012-06-05T14:37:37.919-04:00FUCK YOU BLOGSPOT for eating my reply.
See what h...FUCK YOU BLOGSPOT for eating my reply.<br /><br />See what happens when using crap? It craps.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-57002341282153844272012-06-05T09:53:01.363-04:002012-06-05T09:53:01.363-04:00Charles: I like udev a lot but its rules format is...Charles: I like udev a lot but its rules format is really quirky and byzantine (e.g. GOTO). I decided to use JavaScript because a) it's a very simple language; b) has a lot of good implementations; c) widely used and understood; d) doesn't drag in a huge platform of its own.<br /><br />np237: Yes, it's a slippery slope which I why I initially did the whole .pkla file format thing because I hoped it would be "good enough". The key here is really to identify that the spectrum of use-cases is so wide that you really end up wanting a programming language instead of a file format. Because if you _don't_ make realizations like this, you'll end up with a Turing-complete language disguised in a file format _anyway_ (just Google for "pam.conf turing complete" if you don't believe me).davidzhttps://www.blogger.com/profile/18166813552495508964noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-63284736882990685122012-06-05T05:56:18.034-04:002012-06-05T05:56:18.034-04:00Configuration should never be done with a Turing-c...Configuration should never be done with a Turing-complete language. This road might be paved with good intentions, but it leads straight to sendmail.cf hell.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-61868111465548610382012-06-04T20:08:34.144-04:002012-06-04T20:08:34.144-04:00In the post (and the bug report) you mention simil...In the post (and the bug report) you mention similarity to udev rules and even have an example of what using such a syntax for polkit would look like. What was the reason for going with js over this in the end - a preference for a turing complete config language?Charleshttps://www.blogger.com/profile/01336486561718167482noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-16796176099951160872012-06-04T17:13:31.443-04:002012-06-04T17:13:31.443-04:00Yeah, I only used SpiderMonkey because of familiar...Yeah, I only used SpiderMonkey because of familiarity and the fact that I have 3+ people in a 10-feet radius with experience of embedding it in GNOME Shell. It should be pretty easy to switch to another JS engine - the polkit(8) man page even mentions that as a possibility when discussing that rules should not use e.g. the let keyword.<br /><br />(And I was actually reading through /usr/include/v8.h the other day and unless you are allergic to c++ (which I'm not) it doesn't look to bad...)davidzhttps://www.blogger.com/profile/18166813552495508964noreply@blogger.comtag:blogger.com,1999:blog-5268847417417953349.post-46939701977762389152012-06-04T17:08:17.883-04:002012-06-04T17:08:17.883-04:00I wonder if, instead of libmozjs, you couldn't...I wonder if, instead of libmozjs, you couldn't have gone with the embedding v8 route. apart from the inherent mess of including another code base, I mean. this would have kept the size and dependencies in check, at least. not that it's a huge problem anyway: NSS and NSPR are going to be already paged in by any session.Emmanuelehttps://www.blogger.com/profile/14797939115552193382noreply@blogger.com