Results 1 to 2 of 2

Thread: Fill gap between sudo and policykit

  1. #1

    Default Fill gap between sudo and policykit

    1. Sudo requires to grant whole set of privileges. Sometimes installers asks for administrator password and it doesn't necessary needs all privileges. Also, user don't know, what it does.

    2. Polkit requires to special services be implemented in system and not be too handy as sudo

    3. Partnership (my own project, which I was creating many years ago) allows to use special files, which will be preprocess by partnership's preprocessor, read and analyze output of script written in simple shell language and points user what this output will do, using partnership's definition and manual pages. It don't allow to use . and .. symbols and creating directory in random place in /tmp. It match files and programs to one's definitions and manual page. It was very odd and I abandon project.

    4. New approach
    I will use apparmor and special daemon, which will handle special DBus (Polkit) interface. It will be system daemon, not session. Application will generate asks for example to writes to /etc/passwd and /etc/group and onto /usr/share/{bin,lib}/** . The golden path will be: My daemon will translate it onto binary apparmor format, will store current application rights, grant root rights to app (i don't know how) and restrict privileges to which application asks. But before place piece on start of golden path, user will be prompted to accept rights app asked. If not, app will receive access denied DBUS message. After done, application can asks to get previous set of privileges (not root and before we apply apparmor rules).
    I think, I will use similar approach as Partnership (read each program/file definition from my daemon database and manuals and present it to user).

    I thought about different way, like using bumblewrap in place of apparmor.

    Why I wrote all this? Because I need a tutor - somebody, who knows apparmor / policykit or bublewrap internals. Also, maybe another developers could be helpful.

  2. #2
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    20,056
    Blog Entries
    14

    Default Re: Fill gap between sudo and policykit

    Hi Lachu,

    There might even be a lot more involved here, but I'm not sure. IMHO you'd better be posting this on the factory mailing list, the #opensuse-factory channel on IRC, or the #factory channel on the openSUSE Discord instance.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    https://en.opensuse.org/openSUSE:Board#Members
    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •