[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Embarrassing security bug in systemd

On 10-12-17, Joe wrote:
> On Sun, 10 Dec 2017 00:13:59 +0100
> Dejan Jocic <jodejka@gmail.com> wrote:
> 
> 
> > 
> > Man page for pklocalauthority is bit more helpful, but far from self
> > explanatory. 
> 
> And not updated for Debian.
> 
> > In its examples section, it provides some insight about
> > writing .pkla files, but it does not show all possible options, or at
> > least I can't be sure that it does. For example:
> > 
> > [Exclude Some Problematic Users]
> >            Identity=unix-user:homer;unix-user:grimes
> >            Action=com.example.awesomeproduct.*
> >            ResultAny=no
> >            ResultInactive=no
> >            ResultActive=auth_admin
> > 
> > According to that, and after reading man page for polkit, I can only
> > deduct that .pkla file will for that example in that
> > com.example.awesomeproduct.* files reads lines under defaults and
> > "answer" on allow_any and allow_inactive with no value and on
> > allow_active with auth_admin value. Fine, that can work. Guess that
> > you can use wildecards for all users, like unix-user:*, but that is
> > only guess, cause I can't see it documented anywhere ( might have
> > missed it). What I also do not see anywhere is if those are the only
> > options available? Or there is some man page, or additional
> > documentation in Debian that can explain that?
> > 
> More examples, and in fact, all the Debian policies, are *.policy
> files and under /usr/share/polkit-1, as Brian pointed out.
> 
> -- 
> Joe 
> 

And all the files under /usr/share/polkiit-1 should listen to the local
settings under /etc/polkit-1/localauthority/ so I do not understand what
is your point?

Thank you for your time,
Dejan

Or the man pages are totally wrong?
Reply to: