Stop installing /usr/share/polkit-1/rules.d as 700/polkitd (!153) · Merge requests · polkit / polkit

Luca Boccassi requested to merge bluca/polkit:usr_share_ownership into master Dec 30, 2022

The vendor tree (/usr) cannot contain any secrets or privileged data, as it is normally shipped in images or packages that can be trivially downloaded and inspected by anybody. It thus makes no sense to impose that /usr/share/polkit-1/rules.d is installed as 700 and owned by the polkitd user. Remove this logic from meson.

The local (admin) configuration tree is /etc, and that is left as-is.

Having non-root directories in /usr creates huge problems for image builders, as you must ensure that the uid available at build time is exactly the same as the uid available at runtime. Dropping this requirement will allow to remove a lot of kludges.

Edited Jan 03, 2023 by Luca Boccassi

Stop installing /usr/share/polkit-1/rules.d as 700/polkitd

Merge request reports