|
|
a60cd7 |
From 9c807b4f4d808201118f15182e12a9e68e12dc36 Mon Sep 17 00:00:00 2001
|
|
|
a60cd7 |
From: Jakub Filak <jfilak@redhat.com>
|
|
|
a60cd7 |
Date: Thu, 2 Jul 2015 12:19:30 +0200
|
|
|
a60cd7 |
Subject: [PATCH] dbus: keep the polkit authorization for all clients
|
|
|
a60cd7 |
|
|
|
a60cd7 |
I played with the defaults and I've found out that:
|
|
|
a60cd7 |
- allow_any == clients like ssh
|
|
|
a60cd7 |
- allow_active == for local console (X, terminal)
|
|
|
a60cd7 |
- allow_inactive had no effect
|
|
|
a60cd7 |
|
|
|
a60cd7 |
Anyway, I do not find any reason to prevent any client from getting
|
|
|
a60cd7 |
access to all ABRT problems and I also think we should use
|
|
|
a60cd7 |
'auth_admin_keep' until we implement the new abrt dbus service.
|
|
|
a60cd7 |
|
|
|
a60cd7 |
auth_admin_keep - requires authorization for the first request and the
|
|
|
a60cd7 |
authorization is kept for a brief period (polkit(8)).
|
|
|
a60cd7 |
|
|
|
a60cd7 |
commit e98c8766655216db3d9a08b1fa52ba7decf57c46
|
|
|
a60cd7 |
Author: Stef Walter <stefw@redhat.com>
|
|
|
a60cd7 |
Date: Mon May 5 08:41:00 2014 +0200
|
|
|
a60cd7 |
|
|
|
a60cd7 |
dbus: Fix desktop centric polkit policy file
|
|
|
a60cd7 |
|
|
|
a60cd7 |
In order to allow use of ABRT's DBus API on servers, the polkit
|
|
|
a60cd7 |
policy should allow admin usage even when not logged in an active
|
|
|
a60cd7 |
seat (ie: monitor and keyboard). Otherwise use from ssh logins and
|
|
|
a60cd7 |
Cockpit is prevented.
|
|
|
a60cd7 |
|
|
|
a60cd7 |
Related: #1224984
|
|
|
a60cd7 |
|
|
|
a60cd7 |
Signed-off-by: Jakub Filak <jfilak@redhat.com>
|
|
|
a60cd7 |
|
|
|
a60cd7 |
Conflicts:
|
|
|
a60cd7 |
src/dbus/abrt_polkit.policy
|
|
|
a60cd7 |
---
|
|
|
a60cd7 |
src/dbus/abrt_polkit.policy | 8 ++++----
|
|
|
a60cd7 |
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
|
a60cd7 |
|
|
|
a60cd7 |
diff --git a/src/dbus/abrt_polkit.policy b/src/dbus/abrt_polkit.policy
|
|
|
a60cd7 |
index 06008b4..beb615f 100644
|
|
|
a60cd7 |
--- a/src/dbus/abrt_polkit.policy
|
|
|
a60cd7 |
+++ b/src/dbus/abrt_polkit.policy
|
|
|
a60cd7 |
@@ -19,9 +19,9 @@ Copyright (c) 2012 ABRT Team <crash-catcher@fedorahosted.com>
|
|
|
a60cd7 |
<description>Get problems from all users</description>
|
|
|
a60cd7 |
<message>Reading others problems requires authentication</message>
|
|
|
a60cd7 |
<defaults>
|
|
|
a60cd7 |
- <allow_any>no</allow_any>
|
|
|
a60cd7 |
+ <allow_any>auth_admin_keep</allow_any>
|
|
|
a60cd7 |
<allow_active>auth_admin_keep</allow_active>
|
|
|
a60cd7 |
- <allow_inactive>no</allow_inactive>
|
|
|
a60cd7 |
+ <allow_inactive>auth_admin_keep</allow_inactive>
|
|
|
a60cd7 |
</defaults>
|
|
|
a60cd7 |
</action>
|
|
|
a60cd7 |
|
|
|
a60cd7 |
@@ -30,9 +30,9 @@ Copyright (c) 2012 ABRT Team <crash-catcher@fedorahosted.com>
|
|
|
a60cd7 |
<description>Set value of configuration properties</description>
|
|
|
a60cd7 |
<message>Update configuration values reuquires authentication</message>
|
|
|
a60cd7 |
<defaults>
|
|
|
a60cd7 |
- <allow_any>no</allow_any>
|
|
|
a60cd7 |
+ <allow_any>auth_admin_keep</allow_any>
|
|
|
a60cd7 |
<allow_active>auth_admin_keep</allow_active>
|
|
|
a60cd7 |
- <allow_inactive>no</allow_inactive>
|
|
|
a60cd7 |
+ <allow_inactive>auth_admin_keep</allow_inactive>
|
|
|
a60cd7 |
</defaults>
|
|
|
a60cd7 |
</action>
|
|
|
a60cd7 |
|
|
|
a60cd7 |
--
|
|
|
a60cd7 |
2.4.3
|
|
|
a60cd7 |
|