Commit 587deddf authored by David Zeuthen's avatar David Zeuthen
Browse files

Clarify pkexec(1) variables


Signed-off-by: default avatarDavid Zeuthen <davidz@redhat.com>
parent 0e85f077
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD polkit Policy Configuration 1.0//EN"
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/software/polkit/policyconfig-1.dtd">
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<!-- Policy definitions for core PolicyKit actions. Copyright (c) 2008 Red Hat, Inc. --> <!-- Policy definitions for core polkit actions. Copyright (c) 2008-2012 Red Hat, Inc. -->
<policyconfig> <policyconfig>
<vendor>The PolicyKit Project</vendor> <vendor>The polkit project</vendor>
<vendor_url>http://hal.freedesktop.org/docs/PolicyKit/</vendor_url> <vendor_url>http://www.freedesktop.org/wiki/Software/polkit/</vendor_url>
<action id="org.freedesktop.policykit.exec"> <action id="org.freedesktop.policykit.exec">
<_description>Run programs as another user</_description> <_description>Run a program as another user</_description>
<_message>Authentication is required to run a program as another user</_message> <_message>Authentication is required to run a program as another user</_message>
<defaults> <defaults>
<allow_any>auth_admin</allow_any> <allow_any>auth_admin</allow_any>
...@@ -19,14 +18,4 @@ ...@@ -19,14 +18,4 @@
</defaults> </defaults>
</action> </action>
<action id="org.freedesktop.policykit.lockdown">
<_description>Configure lock down for an action</_description>
<_message>Authentication is required to configure lock down policy</_message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/pklalockdown</annotate>
</action>
</policyconfig> </policyconfig>
...@@ -82,8 +82,8 @@ ...@@ -82,8 +82,8 @@
<refsect1 id="pkexec-security-notes"><title>SECURITY NOTES</title> <refsect1 id="pkexec-security-notes"><title>SECURITY NOTES</title>
<para> <para>
Executing a program as another user is a privileged Executing a program as another user is a privileged
operation. By default the required authorization (See operation. By default the action to check for (see
<xref linkend="pkexec-required-authz"/>) requires administrator <xref linkend="pkexec-action"/>) requires administrator
authentication. In addition, the authentication dialog presented authentication. In addition, the authentication dialog presented
to the user will display the full path to the program to be to the user will display the full path to the program to be
executed so the user is aware of what will happen. executed so the user is aware of what will happen.
...@@ -125,7 +125,7 @@ ...@@ -125,7 +125,7 @@
</para> </para>
</refsect1> </refsect1>
<refsect1 id="pkexec-required-authz"><title>REQUIRED AUTHORIZATIONS</title> <refsect1 id="pkexec-action"><title>ACTION AND AUTHORIZATIONS</title>
<para> <para>
By default, the By default, the
<emphasis>org.freedesktop.policykit.exec</emphasis> action is <emphasis>org.freedesktop.policykit.exec</emphasis> action is
...@@ -134,10 +134,13 @@ ...@@ -134,10 +134,13 @@
annotation on an action with the value set to the full path of annotation on an action with the value set to the full path of
the program. In addition to specifying the program, the the program. In addition to specifying the program, the
authentication message, description, icon and defaults can be authentication message, description, icon and defaults can be
specified. The strings <literal>$(user)</literal>, specified.
<literal>$(program)</literal> and </para>
<literal>$(command_line)</literal> in the message will be <para>
expanded, see <xref linkend="pkexec-variables"/>. Note that authentication messages may reference variables (see
<xref linkend="pkexec-variables"/>), for example
<literal>$(user)</literal> will be expanded to the value of the
<literal>user</literal> variable.
</para> </para>
</refsect1> </refsect1>
...@@ -178,7 +181,7 @@ ...@@ -178,7 +181,7 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis>user_full</emphasis></term> <term><emphasis>user.gecos</emphasis></term>
<listitem> <listitem>
<para> <para>
The full name of the user to execute the program as. The full name of the user to execute the program as.
...@@ -186,6 +189,17 @@ ...@@ -186,6 +189,17 @@
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis>user.display</emphasis></term>
<listitem>
<para>
A representation of the user to execute the program as
that is suitable for display in an authentication dialog.
Is typically set to a combination of the user name and the
full name.
</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>
......
...@@ -486,7 +486,7 @@ System Context | | ...@@ -486,7 +486,7 @@ System Context | |
<literal>polkit</literal> object (of type <type>Polkit</type>). <literal>polkit</literal> object (of type <type>Polkit</type>).
</para> </para>
<refsect2 id="polkit-rules-actions"> <refsect2 id="polkit-rules-polkit">
<title>The <type>Polkit</type> type</title> <title>The <type>Polkit</type> type</title>
<para> <para>
...@@ -616,10 +616,10 @@ polkit.addRule(function(action, subject) { ...@@ -616,10 +616,10 @@ polkit.addRule(function(action, subject) {
}); });
]]></programlisting> ]]></programlisting>
<para> <para>
will produce the following when the user runs 'pkexec bash -i' from a shelll: will produce the following when the user runs 'pkexec -u bateman bash -i' from a shell:
</para> </para>
<programlisting><![CDATA[ <programlisting><![CDATA[
May 24 14:28:50 thinkpad polkitd[32217]: /etc/polkit-1/rules.d/10-test.rules:3: action=[Action id='org.freedesktop.policykit.exec' command_line='/usr/bin/bash -i' program='/usr/bin/bash' user_full='root (root)' user='root'] May 24 14:28:50 thinkpad polkitd[32217]: /etc/polkit-1/rules.d/10-test.rules:3: action=[Action id='org.freedesktop.policykit.exec' command_line='/usr/bin/bash -i' program='/usr/bin/bash' user='bateman' user.gecos='Patrick Bateman' user.display='Patrick Bateman (bateman)']
May 24 14:28:50 thinkpad polkitd[32217]: /etc/polkit-1/rules.d/10-test.rules:4: subject=[Subject pid=1352 user='davidz' groups=davidz,wheel, seat='seat0' session='1' local=true active=true] May 24 14:28:50 thinkpad polkitd[32217]: /etc/polkit-1/rules.d/10-test.rules:4: subject=[Subject pid=1352 user='davidz' groups=davidz,wheel, seat='seat0' session='1' local=true active=true]
]]></programlisting> ]]></programlisting>
......
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD polkit Policy Configuration 1.0//EN"
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/software/polkit/policyconfig-1.dtd">
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig> <policyconfig>
<vendor>Examples for the PolicyKit Project</vendor> <vendor>Examples for the polkit project</vendor>
<vendor_url>http://hal.freedesktop.org/docs/PolicyKit/</vendor_url> <vendor_url>http://www.freedesktop.org/wiki/Software/polkit/</vendor_url>
<action id="org.freedesktop.policykit.example.pkexec.run-frobnicate"> <action id="org.freedesktop.policykit.example.pkexec.run-frobnicate">
<_description>Run the PolicyKit example program Frobnicate</_description> <_description>Run the polkit example program Frobnicate</_description>
<_message>Authentication is required to run the PolicyKit example program Frobnicate (user=$(user), program=$(program), command_line=$(command_line))</_message> <_message>Authentication is required to run the polkit example program Frobnicate (user=$(user), user.gecos=$(user.gecos), user.display=$(user.display), program=$(program), command_line=$(command_line))</_message>
<icon_name>audio-x-generic</icon_name> <!-- just an example --> <icon_name>audio-x-generic</icon_name> <!-- just an example -->
<defaults> <defaults>
<allow_any>no</allow_any> <allow_any>no</allow_any>
......
...@@ -669,11 +669,13 @@ main (int argc, char *argv[]) ...@@ -669,11 +669,13 @@ main (int argc, char *argv[])
details = polkit_details_new (); details = polkit_details_new ();
polkit_details_insert (details, "user", pw->pw_name); polkit_details_insert (details, "user", pw->pw_name);
if (pw->pw_gecos != NULL)
polkit_details_insert (details, "user.gecos", pw->pw_gecos);
if (pw->pw_gecos != NULL && strlen (pw->pw_gecos) > 0) if (pw->pw_gecos != NULL && strlen (pw->pw_gecos) > 0)
s = g_strdup_printf ("%s (%s)", pw->pw_gecos, pw->pw_name); s = g_strdup_printf ("%s (%s)", pw->pw_gecos, pw->pw_name);
else else
s = g_strdup_printf ("%s", pw->pw_name); s = g_strdup_printf ("%s", pw->pw_name);
polkit_details_insert (details, "user_full", s); polkit_details_insert (details, "user.display", s);
g_free (s); g_free (s);
polkit_details_insert (details, "program", path); polkit_details_insert (details, "program", path);
polkit_details_insert (details, "command_line", command_line); polkit_details_insert (details, "command_line", command_line);
...@@ -696,7 +698,7 @@ main (int argc, char *argv[]) ...@@ -696,7 +698,7 @@ main (int argc, char *argv[])
* be expanded to the path of the program e.g. "/bin/bash" and the latter * be expanded to the path of the program e.g. "/bin/bash" and the latter
* to the user e.g. "John Doe (johndoe)" or "johndoe". * to the user e.g. "John Doe (johndoe)" or "johndoe".
*/ */
N_("Authentication is needed to run `$(program)' as user $(user)")); N_("Authentication is needed to run `$(program)' as user $(user.display)"));
} }
} }
polkit_details_insert (details, "polkit.gettext_domain", GETTEXT_PACKAGE); polkit_details_insert (details, "polkit.gettext_domain", GETTEXT_PACKAGE);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment