On Fri, Jun 13, 2008 at 07:37:09AM -0700, Danek Duvall wrote: > On Fri, Jun 13, 2008 at 09:18:49AM -0500, Shawn Walker wrote: > > Darren Moffat wrote: > > > Shawn Walker wrote: > > > > I was looking for a confident way to ensure "up-front" that a user has > > > > the necessary privileges without relying on the (incorrect) > > > > sledgehammer approach of requiring root. > > > > > > There isn't one and not even checking for uid=0 is correct. > > So while I understand all that, I'd like a bit of clarification on two > points. > > First, as I understand it, it's good form for a GUI to disable (grey out or > whatever) operations which are inappropriate or impossible at any given > time, such as installing a package onto an image where you don't have > sufficient permissions to complete the operation successfully. > > - Is this not actually the good form I think it is?
It is, I think. > - Is this just impossible to do, regardless of form? Maybe. One possibility is to have a daemon that does authorization and all the work. So the pkg utilities talk to the daemon and the daemon checks that the euid of its callers has the right authorizations, and goes from there. SMF works this way. Such a daemon would have to run with privilege, but then you run into secure NFS (if an image is remote). Oops. So, yes, I tend to think that this is just impossible. > - If so, do we just have to suck it up and deal, or is there some other > way of thinking about the problem which sidesteps the issue entirely? Well, maybe you can play with the above suggestion. > Second, what's the expected behavior on partial failure? That is, say I > have permissions to write files all over the image I'm installing on, but > not to chmod them. Or I have write permissions on part of the directory > tree but not others. Is my only recourse filesystem rollback? What does > one do when that's not an option? I think partial failure is something that can always happen unless you have a system with atomic transactions. Applications that manipulate lots of files as part of their transactions don't usually implement atomic transactions. (But with ZFS around...) _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
