Package: lintian Version: 2.116.3 Severity: wishlist It would be useful for Lintian to have some checks for the policy rules used by polkit (formerly PolicyKit) to decide whether to allow privileged actions to be done on behalf of unprivileged users:
* packages with JavaScript polkit rules should install them into /usr/share/polkit-1/rules.d/*.rules, and not into /etc/polkit-1/rules.d/*.rules which is reserved for the sysadmin - very similar to udev-rule-in-etc - pseudocode: foreach $path (/etc/polkit-1/rules.d/*.rules) { emit polkit-rule-in-etc $path } - possible text: This package ships polkit rules and installs them under /etc/polkit-1, which is reserved for user-installed files. The correct location for system rules is /usr/share/polkit-1/rules.d/*.rules for JavaScript rules, or /var/lib/polkit-1/localauthority/10-vendor.d/*.pkla for legacy .pkla rules. * similarly packages should not have legacy .pkla rules in /etc/polkit-1/localauthority/*.d/*.pkla - very similar to udev-rule-in-etc - pseudocode: foreach $path (/etc/polkit-1/localauthority/*.d/*.pkla) emit polkit-rule-in-etc $path } - same text as above * if a package ships legacy .pkla rules then it should ship a JavaScript equivalent, so that it will work as intended without installing polkitd-pkla - pseudocode: foreach $path ( /var/lib/polkit-1/localauthority/*.d/*.pkla /etc/polkit-1/localauthority/*.d/*.pkla ) { if package does not contain /etc/polkit-1/rules.d/*.rules or /usr/share/polkit-1/rules.d/*.rules { emit polkit-rule-without-js-equivalent $path } } - possible text: This package ships legacy polkit rules in .pkla format, but does not provide an equivalent in the newer JavaScript rules format. Rules in .pkla format will be ignored if the polkitd-pkla package is not installed. The package should install a JavaScript equivalent of the legacy rules into /usr/share/polkit-1/rules.d/*.rules. Reference: https://salsa.debian.org/ddp-team/release-notes/-/merge_requests/170 (or the actual release notes after that MR is merged) Reference: https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/66 * emit a classification or info tag for packages with legacy polkit rules (still necessary if the package should be backported to Debian 11 or Ubuntu 23.04, unnecessary since Debian 12, will hopefully become unnecessary in Ubuntu 23.10 at which point this can become a warning) - pseudocode: foreach $path ( /var/lib/polkit-1/localauthority/*.d/*.pkla /etc/polkit-1/localauthority/*.d/*.pkla ) { emit polkit-rule-in-pkla-format $path } - possible text: This package ships legacy polkit rules in .pkla format, which have been superseded by the newer JavaScript rules format. Thanks, smcv