[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

tangent: PolicyKit and PAM



On Tue, Nov 24, 2009 at 12:44:00PM -0500, Matthias Clasen wrote:
> > 1. In fact, a PAM-backed authority for PolicyKit might be interesting and
> > useful -- but there's a tangent.
> What do you think PolicyKit is using for authentication ?
> See 
> http://cgit.freedesktop.org/PolicyKit/tree/src/polkitagent/polkitagenthelper.c

It uses it for authentication *and* for authorization, but it uses one
service name (polkit-1) for everything (which is in turn configured by
default to just defer to the standard system-auth service definition). This
arrangement isn't particularly useful for a flexible authorization policy.

You can use it for the big-hammer "user-is-locked out" stuff, but not for
things like "local users can install packages without a password, only
during business hours", which PAM is perfectly expressive enough to do (with
existing modules, even).

I don't think, offhand, that it could be quite as flexible as the Local
Authority currently in PolicyKit or via some fancy LDAP Authority, but I
don't think it necessarily would need to be. The main advantage would be
that instead of having yet another way (and again, I want to emphasize that
I think PolicyKit is good work) to implement authorization policy, one could
use PolicyKit with a well-understood mechanism that's been in production use
since the 90s.

Like I said, this is a tangent, and I'm certainly not expecting anyone to
work on this. But it'd be cool if they did.

-- 
Matthew Miller <mattdm mattdm org>
Senior Systems Architect 
Cyberinfrastructure Labs / Instructional & Research Computing
Computing & Information Technology 
Harvard School of Engineering & Applied Sciences


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]