[arch-general] netcfg wlan connection renewal
C Anthony Risinger
anthony at xtfx.me
Wed Sep 28 19:14:24 EDT 2011
On Sep 28, 2011 3:53 PM, "Tom Gundersen" <teg at jklm.no> wrote:
>
> On Wed, Sep 28, 2011 at 10:02 PM, Fons Adriaensen <fons at linuxaudio.org>
wrote:
> >
> > Or maybe I'm missing a third possible scenario.
>
> The way it works is that both the frontend (the unprivileged process,
> e.g. the GUI for setting your timezone) and the backend (the
> privileged process, e.g. the app that writes the timezone data to
> /etc/localtime) interface with PK. The backend will ultimately be the
> one deciding who should be allowed to do what under which conditions,
> PK is just the interface that lets this be done in a uniform way.
The process is similar for libvirt -- when the policy is "unix perms only"
having r/w access to the control socket is enough to authorize. However,
when polkit is in use (the default) the socket is world writable simply
because anyone *could* be authorized to use it (you could still use fs perms
if you wanted) ... but all requests must be approved by polkit anyway, and
at no time are you really exposing anything -- all configs/etc are never
directly malleable or even disclosed.
Polkit is a really good thing IMO -- FS perms are good too, but they are
very crude/basic and completely lack expressive power ... not the right tool
for the job.
More information about the arch-general
mailing list