Fill gap between sudo and policykit

  1. Sudo requires to grant whole set of privileges. Sometimes installers asks for administrator password and it doesn’t necessary needs all privileges. Also, user don’t know, what it does.

  2. Polkit requires to special services be implemented in system and not be too handy as sudo

  3. Partnership (my own project, which I was creating many years ago) allows to use special files, which will be preprocess by partnership’s preprocessor, read and analyze output of script written in simple shell language and points user what this output will do, using partnership’s definition and manual pages. It don’t allow to use . and … symbols and creating directory in random place in /tmp. It match files and programs to one’s definitions and manual page. It was very odd and I abandon project.

  4. New approach
    I will use apparmor and special daemon, which will handle special DBus (Polkit) interface. It will be system daemon, not session. Application will generate asks for example to writes to /etc/passwd and /etc/group and onto /usr/share/{bin,lib}/** . The golden path will be: My daemon will translate it onto binary apparmor format, will store current application rights, grant root rights to app (i don’t know how) and restrict privileges to which application asks. But before place piece on start of golden path, user will be prompted to accept rights app asked. If not, app will receive access denied DBUS message. After done, application can asks to get previous set of privileges (not root and before we apply apparmor rules).
    I think, I will use similar approach as Partnership (read each program/file definition from my daemon database and manuals and present it to user).

I thought about different way, like using bumblewrap in place of apparmor.

Why I wrote all this? Because I need a tutor - somebody, who knows apparmor / policykit or bublewrap internals. Also, maybe another developers could be helpful.

Hi Lachu,

There might even be a lot more involved here, but I’m not sure. IMHO you’d better be posting this on the factory mailing list, the #opensuse-factory channel on IRC, or the #factory channel on the openSUSE Discord instance.