PolicyKit, for the Love of God

I just wonder if there is a technical reference and/or a HOW-TO guide to PolicyKit that is a) current, and b) accurate. Any pointers to anything like that would be much welcome. TIA.

P.S.: The more I look at it, the more it looks like an experiment gone wrong. Frankenstein sort of thing :\

On 05/25/2011 04:33 PM, licehunter wrote:
> Any pointers to anything like that would be much welcome. TIA.

http://www.google.com/search?q=site%3Adoc.opensuse.org+policykit

WIA.


dd CAVEAT: http://is.gd/bpoMD
[NNTP via openSUSE 11.4 [2.6.37.6-0.5] + KDE 4.6.0 + Thunderbird 3.1.10]
Dual booting with Sluggish Loser7 on Acer Aspire One D255

Nope. The above results do not pass neither the current nor the accurate tests (I’m using polkit-1 btw).

For the love of god why didn’t you actually read the very first item that came up with the google search. It has a link to what you are looking for. I feel like just stopping here and make you look for it because it took me all of five seconds to find it. But here it is

PolicyKit Reference Manual

For the love of god why didn’t you actually read the very first item that came up with the google search. It has a link to what you are looking for. I feel like just stopping here and make you look for it because it took me all of five seconds to find it. But here it is

PolicyKit Reference Manual

Have you by any chance tried to manage your policykit permissions on an OpenSUSE 11.4 box using the above documentation? Have you successfully found what parameter you had to change in what file in order to produce a desired outcome, and did the result turn out to be as expected?

Due to the nature of a group of machines I manage, I need to change a number of PK permissions from their default settings, and so far that’s proven to be a game of guesswork and not always with a satisfactory outcome.

With that said, OpenSUSE’s own documentation is, relatively speaking, more helpful than the hideous upstream material.

On 09/04/2011 05:36 PM, licehunter wrote:
>
> Have you by any chance tried to manage your policykit permissions on an
> OpenSUSE 11.4 box using the above documentation? Have you successfully
> found what parameter you had to change in what file in order to produce
> a desired outcome, and did the result turn out to be as expected?

no. i’m very willing to admit i have never touched any policykit
admustment knobs…never had reason to…

> Due to the nature of a group of machines I manage, I need to change a
> number of PK permissions from their default settings, and so far that’s
> proven to be a game of guesswork and not always with a satisfactory
> outcome.

perhaps you might want to consider using an enterprise level
distribution for the “group of machines” you manage…many (most?)
folks consider openSUSE to be a little short lived to press into
commercial service…personally, though openSUSE is perfect for me
and my needs i can certainly see that other distros might be best for
you (i wouldn’t want to be pushed into installing/upgrading a “group of
machines” every year—but, maybe you want to do that)…both Red Hat
and SUSE Linux may be a better fit for your needs, AND offer
commercial/enterprise level help (where folks who have tried to manage
their policykit permissions with provided documentation offer support)

> With that said, OpenSUSE’s own documentation is, relatively speaking,
> more helpful than the hideous upstream material.

really: i am sorry you are not having an easy time of this…

these are the fora of free and open source users helping other users!
since more than three months have passed between your initial question
and today, it seems likely to me that the users with the knowledge
required to actually help you have either not wandered by, or have
decided not to help (i don’t know why they wouldn’t help…unless maybe
the ones with he knowledge thought your subject line is both insulting
and demeaning, or didn’t like your ‘Frankenstein’ insult)…

you might find help (above the technical level of the users here) if
you, for the Love of God, talk directly with the openSUSE developers
(who provided the “relatively speaking, more helpful”
documentation)…but, those folks are almost never here…however,
they are easy to find on IRC and mail list…start here:
http://en.opensuse.org/openSUSE:Communication_channels

but, just a friendly word: if you go there asking for help you might
find more willing developer/helpers if you don’t begin by telling them
how hideous their documentation is, even if it is, relatively, better
than that which comes from the source…[maybe you would like to contact
the source and help put the upstream documentation into perfectly usable
condition, you could do that by beginning here
<http://en.wikipedia.org/wiki/PolicyKit>]

on the other hand, you may do as you wish…


DD
openSUSE®, the “German Automobiles” of operating systems

DenverD,
I know you pointed out to the OP that there is a PolicyKit manual but admin of OpenSuse 11.4 policies differs from earlier versions of PolicyKit. It is now ALL polkit-1 thingies. Fortunately I have fought through some bl**dy polkit activities.
In case anybody else happens upon this page basically you have to do this:
0) Not that if you change security setting from EASY to SECURE you will change the standard polkit setting to RESTRICTIVE(hence USB doesn’t work for standard users…)

  1. Policies are controlled by polkit-default-privs.local (It over-rides .standard and .restrictive) in /etc. I copy .standard to .local and edit that file.
  2. To get the new policies accepted you have to issue the following command as root:
    /sbin/set_polkit_default_privs
  3. This changes the various settings for All users:Inactive_User:Active_User (The Active_User is the user logged in)
  4. In OpenSuSE 11.4 you can check each of these settings by looking at pkla files in /var/lib/polkit-1/localauthority/10-vendor.d (Which are the actual settings tested when an action is performed).
  5. It’s possible to get a list of available actions using: pkaction

What each of the settings means should begin to make a little sense by looking at the polkit-default-privs.* files but it has to be said that documentation on EACH setting hasn’t been put together in one place (that I am aware of).

However, I hope I’ve given the OP (or some others) a pointer on how to go.

I do agree though, “POLKIT, FOR THE LOVE OF GOD!!!”

By the way - it would be nice if somebody at Novell/wherever could have gone through the polkit files to clean out the hal stuff. This is now deprecated…

Mike

On 2011-11-01 06:56, LleMikeByw wrote:
>
> DenverD,
> I know you pointed out to the OP that there is a PolicyKit manual but
> admin of OpenSuse 11.4 policies differs from earlier versions of
> PolicyKit. It is now ALL polkit-1 thingies. Fortunately I did I have
> fought through some bl**dy polkit activities.

Thank you for this post. What I know about polkit is that is a beast better
to keep far away, and have the luck of not needing to change things.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 11/01/2011 06:56 AM, LleMikeByw wrote:
> By the way - it would be nice if somebody at Novell/wherever could have
> gone through the polkit files to clean out the hal stuff. This is now
> deprecated…
>

-=WELCOME=- new poster!! that is a really good observation…which
needs to go into a bug (so some dev puts it on their to-do
list…otherwise it may get over looked over and over in their mad rush
to meet the next release date (always less than 8 months away–don’t ask
me why, i didn’t set that pace!)

not, just mentioning it here will not get it the light it deserves (the
devs seldom if ever come here, and never come to find stuff to
fix–their official list of bugs seems to grow faster than they can
swat) so enter yours here, please: http://tinyurl.com/nzhq7j

thanks for a nice informative post!! hang out.


DD
openSUSE®, the “German Automobiles” of operating systems

otherwise it may get over looked over and over in their mad rush
to meet the next release date

Interesting observation. I did the grind on polkit in OS11.3. The /etc/polkit-default-privs.local (.standard and .restrictive files) seemed to have been draft versions for 11.3 AND in 11.4 they are frankly a little messy (Almost thrown together - “That’ll do!”).

On the deprecation of HAL - I understood that upstream development of OS11.4 had led to the elimination of HAL from the dependencies - but it is possible that they decided to leave the changes until OS12.1 (GIMP is still possibly dependent on HAL).

What I cannot fathom is the change of paths for pkla files between 11.3 and 11.4. Just not logical for such fundamental permission management files…

Will be interested to see what cleaning up has been done in 12.1.

Mike

On 11/01/2011 05:56 PM, LleMikeByw wrote:
> Will be interested to see what cleaning up has been done in 12.1.

you can catch a release candidate 1 now and have a look:
http://software.opensuse.org/developer/

who knows, if you put in the bug soon it might even get fixed (if it is
not already)…but, time is running quickly!


DD
openSUSE®, the “German Automobiles” of operating systems

On 2011-11-01 17:56, LleMikeByw wrote:
> is possible that they decided to leave the changes until OS12.1 (GIMP is
> still possibly dependent on HAL).

And kde3. Remember that it is still provided.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

I can understand why some people would hold on to KDE3 - but I took the plunge on KDE4 and the Plasma Dashboard some time ago. KDE4 is powerful but I expect a normal user would have real problems with creating an ideal desktop for themselves.

I do not intend to go down the Gnome route ever (too restrictive). With KDE, my 70yr-old mother is using 128pixel icons on her KDE4 desktop (I don’t think this is easily possible on gnome).

But I’ve digressed from polkit - so I’ll stop there.

Mike

On 2011-11-01 21:36, LleMikeByw wrote:
>
> I can understand why some people would hold on to KDE3 - but I took the
> plunge on KDE4 and the Plasma Dashboard some time ago. KDE4 is powerful
> but I expect a normal user would have real problems with creating an
> ideal desktop for themselves.

I don’t intend to go the route of the kde3 vs kde4 argument. I’m only
mentioning the fact that kde3 is still provided (via community effort) and
that, if I’m not mistaken, it uses hal. It is also necesary for things like
some virtualization engines (vmware, I think). There are many components
that still need HAL.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

Carlos,

I understood entirely your earlier comment and appreciate the need to support legacy options - hence the presence of HAL in 11.4.
We continued to keep a team on Windows 2000 well into the XP era simply because one application (from some 5/6) had not been updated to function with XP… but that was in the dark, dark days - and I don’t want to go back there :wink:
As for virtualisation - I’ve been a fan of VirtualBox in recent times but since the takeover (the other one) I’ve been considering QEMU instead (or Xen - not so nice). I’m just waiting for that day when VB becomes the subject of a patent discussion… potentially… I expect…
Mike

Mike,

Thank you for a helpful reply, especially items 1-4.

My latest polkit/PolicyKit woes were satisfactorily dealt with in another post, with the kind assistance of deano_ferrari, but due to the nature of some of the machines I look after, polkit/PolicyKit issues are bound to creep up from time to time and your post will be a useful reference and my first port of call (and hopefully anyone else’s who find themselves in the miserable situation of having to deal with polkit/PolicyKit).