On Thu, 2007-11-01 at 11:22 -0800, Jeff Spaleta wrote:
On 11/1/07, David Zeuthen david@fubar.dk wrote:
http://people.freedesktop.org/~david/polkit-gnome-authorizations.png
but the UI is likely to change.
Hope this helps.
Is per device policy granting in the works? So that certain disks are mountable but others aren't on a user by user basis?
See the last two paragraphs of
http://hal.freedesktop.org/docs/PolicyKit/model-theory-of-operation.html
Basically the way it works right now is that Mechanisms split actions depending on type. Specifically for hal there's a "fixed" and "removable" split. For NM there will be "can-dial-to-trusted-number" and "can-dial-to-untrusted-number"; then the act of making something a trusted number is some other privileged operation (e.g. trusted numbers are the ones listed in a file in /etc, whatever, I don't know).
FWIW, we might add functionality later (the API is extensible) such that PolicyKit can answer questions like
"Is $PROCESS authorized to do $ACTION on $OBJECT on behalf of the user"
(now it's "Is $PROCESS authorized to do $ACTION on behalf of the user")
but right now this isn't there - mainly because there's a ton of problems in how to sanely describe an object (/dev/sda? /dev/disk/by-label ? phonenumber? etc.) and also how to build sane UI around this. Hope this helps.
-jef"Idle thought: How well does policy granting work with sabayon?"spaleta
Someone just needs to do it. It's more interesting, however, to consider PolicyKit together with http://freeipa.org/page/Main_Page . As a matter of fact, I'm already working with the FreeIPA guys on this.
David