On 10-12-17, Joe wrote: > On Sun, 10 Dec 2017 11:02:45 +0100 > Dejan Jocic <jode...@gmail.com> wrote: > > > On 10-12-17, Joe wrote: > > > On Sun, 10 Dec 2017 00:13:59 +0100 > > > Dejan Jocic <jode...@gmail.com> wrote: > > > > > > > > > > > > > > Man page for pklocalauthority is bit more helpful, but far from > > > > self explanatory. > > > > > > And not updated for Debian. > > > > > > > In its examples section, it provides some insight about > > > > writing .pkla files, but it does not show all possible options, > > > > or at least I can't be sure that it does. For example: > > > > > > > > [Exclude Some Problematic Users] > > > > Identity=unix-user:homer;unix-user:grimes > > > > Action=com.example.awesomeproduct.* > > > > ResultAny=no > > > > ResultInactive=no > > > > ResultActive=auth_admin > > > > > > > > According to that, and after reading man page for polkit, I can > > > > only deduct that .pkla file will for that example in that > > > > com.example.awesomeproduct.* files reads lines under defaults and > > > > "answer" on allow_any and allow_inactive with no value and on > > > > allow_active with auth_admin value. Fine, that can work. Guess > > > > that you can use wildecards for all users, like unix-user:*, but > > > > that is only guess, cause I can't see it documented anywhere > > > > ( might have missed it). What I also do not see anywhere is if > > > > those are the only options available? Or there is some man page, > > > > or additional documentation in Debian that can explain that? > > > > > > > More examples, and in fact, all the Debian policies, are *.policy > > > files and under /usr/share/polkit-1, as Brian pointed out. > > > > > > -- > > > Joe > > > > > > > And all the files under /usr/share/polkiit-1 should listen to the > > local settings under /etc/polkit-1/localauthority/ so I do not > > understand what is your point? > > I thought you might find more examples helpful. The man page says that > policies come from /etc/polkit-1 and /var/lib/polkit-1, but on my > system the /var/lib location is almost empty, and there's a lot > in /usr/share/polkit-1, almost nothing in /etc/polkit-1. >
And, like I've said, thank you for your time. But those examples are all policy files and local settings are done under /etc/polkit-1/localauthority.conf.d/ for configuring which users, groups or netgroups will be considered as admins for authentication, and under /etc/polkit-1/localauthority/ directories with .pkla extension files should be used for overriding policies with local settings. At least it goes like that as far as I could deduct from man pages ( anyone thinking that I did not understood that well, please correct me ). Now, files under /etc/polkit-1/localauthority.conf.d/ I understand, or at least believe so. What I'm still searching for is better understanding of those .pkla files. I've read those man pages some time ago, when I've started with attempts to wrap my head around policikit, but was rather busy after that and did not completely finish with it. If I understood it right, about any .pkla file should look something like this: [ Description of what it does ] Identity=unix-user:someuser;unix-user:someotheruser;unix-group:somegroup;unix-group:someothergroup;unix-netgroup:somegroup;unix-netgroup:someothergroup Action=something.from.usr.share.polkit-1.actions ResultAny=no/yes/auth_self/auth_admin/auth_self_keep/auth_admin_keep ResultInactivee=same/options/as/above ResultActive=same/options/as/above Now, what I believe is that for Identity and Action wildecards are allowed and that there are no more options aside from ResultAny, ResultInactive and ResultActive that can follow Action part. And that no, yes or other values will be returned to Defaults section in that policy file defined under Action part and change whatever was defined there. If someone with greater understanding of Polkit could tell me if I got it right, or not, that would be great. In case that I did not get that right, any point in right direction, or explanation would be great too. Thank you for your time, Dejan