Bug#839124: lintian: please add some helpful advice how to fix tags/dbus-policy-at-console

To: Simon McVittie <smcv@debian.org>
Cc: 839124@bugs.debian.org, Holger Levsen <holger@layer-acht.org>
Subject: Bug#839124: lintian: please add some helpful advice how to fix tags/dbus-policy-at-console
From: Chris Lamb <lamby@debian.org>
Date: Sat, 16 Dec 2017 10:21:40 +0000
Message-id: <[🔎] 1513419700.4081353.1207001976.67FAEB17@webmail.messagingengine.com>
Reply-to: Chris Lamb <lamby@debian.org>, 839124@bugs.debian.org
In-reply-to: <[🔎] 20171216013534.GA10036@perpetual.pseudorandom.co.uk>
References: <[🔎] 1513377670.3921568.1206673864.7AC08D20@webmail.messagingengine.com> <[🔎] 20171216013534.GA10036@perpetual.pseudorandom.co.uk> <20160929082733.GA8005@layer-acht.org>

[Adding Holger, the original submitter, to the CC - please see the last two messages for some more context]


Hi Simon,

Wow, thank you so much for the detailed explanation! 

> In general: writing some document on how to replace use of at_console
> policies (and in general all <allow send_*> rules) with polkit has been
> on my to-do list for a while, but it deserves a better writeup than I
> am able to do right now.

That's absolutely fine and thank you so much for your detailed
explanation you provided in your previous mail!

Alas, however, I'm finding it difficult summarising it in the Lintian
description for this tag to solve Holger's original question/query.
Can you help?

The description for the tag is:

  Tag: dbus-policy-at-console
  Severity: normal
  Certainty: certain
  Info: The package contains D-Bus policy configuration that uses the
   deprecated <tt>at_console</tt> condition to impose a different policy
   for users who are "logged in at the console" according to
   systemd-logind, ConsoleKit or similar APIs, such as:
   .
     &lt;policy context="default"&gt;
       &lt;deny send_destination="com.example.PowerManagementDaemon"/&gt;
     &lt;/policy&gt;
     &lt;policy at_console="true"&gt;
       &lt;allow send_destination="com.example.PowerManagementDaemon"/&gt;
     &lt;/policy&gt;
   .
   The maintainers of D-Bus recommend that services should allow or deny
   method calls according to broad categories that are not typically altered
   by the system administrator (usually either "all users", or only root
   and/or a specified system user). If finer-grained authorization
   is required, the service should accept the method call message, then call
   out to PolicyKit to decide whether to honor the request. PolicyKit can
   use system-administrator-configurable policies to make that decision,
   including distinguishing between users who are "at the console" and
   those who are not.
  Ref: https://bugs.freedesktop.org/show_bug.cgi?id=39611

… or perhaps we should wait until the aforementioned docs are written such
that we can link to them?


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Reply to:

References:
- Bug#839124: lintian: please add some helpful advice how to fix tags/dbus-policy-at-console
  - From: Chris Lamb <lamby@debian.org>
- Bug#839124: lintian: please add some helpful advice how to fix tags/dbus-policy-at-console
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Build failed in Jenkins: lintian-tests_sid #2214
Next by Date: Build failed in Jenkins: lintian-tests_sid #2215
Previous by thread: Bug#839124: lintian: please add some helpful advice how to fix tags/dbus-policy-at-console
Next by thread: Bug#839124: lintian: please add some helpful advice how to fix tags/dbus-policy-at-console
Index(es):
- Date
- Thread