GitLab

Again, we punt this to the applications/mechanisms - they know better.

It makes things a _lot more_ complicated having to deal with resources
and there's a much nicer way to deal with it: Punt it to the apps:

It's much more natural for the application to have a notion about
about what resources are "trusted" (and e.g. requires lesser
privileges) and what resources aren't.

Consider dial-up networking; here the privileged application that
performs the dial-up operation consults a list (maintained by the
system administrator) of allowed numbers to dial. If the unprivileged
networking UI applet that requests a number to be dialed is on the
list it uses the PolicyKit action 'nm-dialup-trusted-location', if it
isn't then it uses the PolicyKit action 'nm-dialup-untrusted-location'.

Descriptions will be subject to i18n/l10n efforts at some point.

Also add a new tool polkit-list-actions.

It's more consistent and, uhm, easier to type.

This feature was introduced with

 commit 02a4c510
 http://gitweb.freedesktop.org/?p=PolicyKit.git;a=commit;h=02a4c5101ca4751963f76a0e016d3308389dc2a5

It makes things a lot harder for privilege granting if a feature like
action parameters are present. Thinking about it, they're not really
necessary; the parameters should just be encoded in the resource name;
e.g. with the example given in the commit

> This is useful for letting mechanisms convey information which may be
> useful in making a decision whether an action is OK. For example,
> NetworkManager could use this to provide the phone-number parameter
> with a hypothetical "nm-dialup" action. Then a site or vendor can
> provide insert
>
>  mandatory polkit-run-program.so \
>     program="/usr/lib/check-dialup-number.sh" privilege="nm-dialup"
>
> into /etc/PolicyKit/PolicyKit.conf and have said program check
>
>  $POLKIT_ACTION_PARAM_PHONE_NUMBER
>
> in that program.

is broken; the right thing here is for a hypothetical NetworkManager
to pass the dial up connection details as the resource

 resource.type = "NetworkManager"
 resource.id = "/org/freedesktop/NM/DialUpConnection/number=555-HOT-CHICKS"

in a well-defined format etc. etc.

 - Split libpolkit into three libraries
   - libpolkit : to be used only by mechanisms and modules
   - libpolkit-dbus : utility library for libpolkit to get caller, session
                      etc. info from the bus and ConsoleKit
   - libpolkit-grant : client side library for obtaining privileges; uses
                       a setgid helper internally

 - grant functionality
   - a helper library, libpolkit-grant, to gain privileges
     - includes a setgid $POLKIT_GROUP helper to write granted privileges
   - a PK module, to read and interpret granted privileges
   - a cmdline app, polkit-grant, using said library

 - Other changes
   - so it turns out that sizeof(bool) != sizeof(gboolean), sizeof(dbus_bool_t)
     This blows so define our own polkit_bool_t type
   - add some validation routines

The grant functionality, especially the setgid helper needs thorough
security review before we can release it.

This paves the way for getting rid of a glib dependency; when and if
that happens is to be determined; right now it just doesn't make a lot
of sense to reimplement GKeyFile, GSList, GHashTable, g_spawn_sync and
other useful routines. But it might make sense if we want to get the
message bus daemon to link with libpolkit so you e.g. can say

 <policy polkit="acme-frobnicate">
   <allow send_interface="com.acme.Frobnicator"
 </policy>

to allow a caller on the system message bus to access that interface
if, and only if, he can do the "acme-frobnicate" action according to
PolicyKit.

This is useful for letting mechanisms convey information which may be
useful in making a decision whether an action is OK. For example,
NetworkManager could use this to provide the phone-number parameter
with a hypothetical "nm-dialup" action. Then a site or vendor can
provide insert

 mandatory polkit-run-program.so program="/usr/lib/check-dialup-number.sh" privilege="nm-dialup"

into /etc/PolicyKit/PolicyKit.conf and have said program check

 $POLKIT_ACTION_PARAM_PHONE_NUMBER

in that program.

 Privilege -> Action
 PrivilegeFile -> PolicyFile
 PrivilegeFileEntry -> PolicyFileEntry
 PrivilegeCache -> PolicyCache

Hopefully it makes a bit more sense now.

Am happy to report that 'make distcheck' now works!

This paves the way for writing

 1. A module that tracks temporary (look in /var/run) and permanent (look
    in /var/lib) privilege grants
 2. A D-Bus service to authenticate a client to obtain to a privilege
    grant and then writing the grant in temporary or permanent storage

Also, this feature lets people very easily lock down the system; just
edit /etc/PolicyKit/PolicyKit.conf; add pam-module-deny-all / -allow-all
stanzas with various privilege=<regexp> and user=<username> options.

Also avoid dumping all privilege file entries to debug whenever we
populate our privilege cache.