[arch-general] hal has lost its mind again.

David C. Rankin, J.D.,P.E. drankinatty at suddenlinkmail.com
Wed May 20 02:38:22 EDT 2009

On or about Tuesday 19 May 2009 at approximately 03:33:03 bardo composed:
> 2009/5/18 David C. Rankin, J.D.,P.E. <drankinatty at suddenlinkmail.com>:
> >                <match group="users">
> >                        <return result="yes"/>
> >                </match>
> I think this may be your problem. I searched some time ago and found
> out PolicyKit didn't support group matches. A quick look to the
> PolicyKit.conf(5) man page seems to confirm this is still the case.
> Now, I don't know if an invalid entry could invalidate the whole
> config, but it's worth a try.
> Corrado


   You and I may be saying the same thing for two different circumstances. 
Admin_auth certainly allows both user and group auths for actions (man 5 


 This element is used to specify the meaning of "authenticate as 
administrator". It is normally used at the top-level but can also be used 
deep inside a number of match elements for conditional behavior. 

 There can only be a single attribute in each define_admin_auth element. POSIX 
Extended Regular Expression syntax is not supported in the value part, 
however multiple values to match on can be separated with the bar (|) 
character. The following attributes are supported: 

 Administrator authentication means authenticate as the given user(s). If no 
define_admin_auth element is given, the default is to use user="root" e.g. 
administrator authentication mean authenticate as the super user. 

 Administrator authentication means that any user in the groups matching the 
given value can be used to authenticate. Typically, on a system with the root 
account disabled one wants to use something like group="wheel" to e.g. enable 
all UNIX users in the UNIX group wheel to be able to authentication whenever 
administrator authentication is required.


	The strange thing is that I can specify myself or the wheel group as an admin 
with auth privileges and policy kit still doesn't allow access. I haven't had 
time to play with it anymore yet after DR sent his config over, but I'll let 
you know.

David C. Rankin, J.D.,P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
Telephone: (936) 715-9333
Facsimile: (936) 715-9339

More information about the arch-general mailing list