[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Local users get to play root?





On Wed, 18 Nov 2009, Dan Williams wrote:

On Wed, 2009-11-18 at 14:29 -0500, Seth Vidal wrote:

On Wed, 18 Nov 2009, Richard Hughes wrote:

2009/11/18 Andrew Haley <aph redhat com>:
Is there some way to disable PackageKit but keep setroubleshoot?

Just set all the policykit answers to "no". You'll find more than just
setroubleshoot breaks if you do this.

How do you do this? Set the policykit answers to no?

The atom-bomb approach is to change everything
in /usr/share/polkit-1/actions/ to <allow_active>no</allow_active> and
<allow_inactive>no</allow_inactive>.

But that's not right because those files aren't config files.  Instead,
you drop "local authority" files in /var/lib/polkit-1/localauthority/
that override those permissions on a site-by-site basis for your
specific use-case, irregardless of what the defaults are.


To be fair - it took 2 engineers about 30-40 minutes and looking through the code to figure out what was wanted in those files and then how to verify what was in there.

it resulted in:
http://skvidal.wordpress.com/2009/11/18/polkit-and-package-kit-and-changing-settings/

but the manpages do not make it obvious. nor is it obvious why those files are in /var/lib/


-sv


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]