Local users get to play root?
Seth Vidal
skvidal at fedoraproject.org
Wed Nov 18 20:54:26 UTC 2009
On Wed, 18 Nov 2009, Dan Williams wrote:
> On Wed, 2009-11-18 at 14:29 -0500, Seth Vidal wrote:
>>
>> On Wed, 18 Nov 2009, Richard Hughes wrote:
>>
>>> 2009/11/18 Andrew Haley <aph at redhat.com>:
>>>> Is there some way to disable PackageKit but keep setroubleshoot?
>>>
>>> Just set all the policykit answers to "no". You'll find more than just
>>> setroubleshoot breaks if you do this.
>>
>> How do you do this? Set the policykit answers to no?
>
> The atom-bomb approach is to change everything
> in /usr/share/polkit-1/actions/ to <allow_active>no</allow_active> and
> <allow_inactive>no</allow_inactive>.
>
> But that's not right because those files aren't config files. Instead,
> you drop "local authority" files in /var/lib/polkit-1/localauthority/
> that override those permissions on a site-by-site basis for your
> specific use-case, irregardless of what the defaults are.
>
To be fair - it took 2 engineers about 30-40 minutes and looking through
the code to figure out what was wanted in those files and then how to
verify what was in there.
it resulted in:
http://skvidal.wordpress.com/2009/11/18/polkit-and-package-kit-and-changing-settings/
but the manpages do not make it obvious. nor is it obvious why those files
are in /var/lib/
-sv
More information about the fedora-devel-list
mailing list