Shawn Walker wrote: > 2008/6/13 Michal Pryc <[EMAIL PROTECTED]>: >> Shawn Walker wrote: >>> http://cr.opensolaris.org/~migi/packagemanager-integration/src/cmd/gui/modules/userrights.py.html >>> ============================== > ... >>> The check done here for Solaris doesn't seem right to me. The last >>> time I asked a Sun engineer about how "permission checks" should be >>> handled, I was told that an application should simply perform >>> operations and fail gracefully. You shouldn't "check for permission" >>> first before attempting. >> That seems wrong to me, how the app should know if the user have rights to >> install/remove packages? This was the easiest way of doing this without >> checking user profiles/roles. If the user doesn't have rights all the >> buttons should be disabled. In the above example it is possible to determine >> if the user have rights after performing operation such as >> install/remove/update and then disabling buttons... ? > > Here's a few quotes from Darren J Moffat here when this question came > up for a pkg gui that John Hawk was writing: > > Darren Moffat wrote: >> You REALLY REALLY REALLY REALLY don't want to test that the user has a >> specifically named profile - not even pfexec (pfsh,etc) do that. It is >> very likely that the user may have a differently named profile with the >> required privileges/uid assigned to the command. > > Darren Moffat wrote: >> Shawn Walker wrote: >>> explicitly checked for the "Software Installation Profile" -- since >>> I'm the ignorant person that suggested this to John, can you clarify >>> how you can check for sufficient privileges? >> You shouldn't you should do the operation and if it fails with >> permission denied you know you don't have permission. It isn't your job >> as a userland application or library to check privileges that is the job >> of the kernel. Don't try and second guess the kernel. > > Darren Moffat wrote: >> Shawn Walker wrote: >>> I was looking for a confident way to ensure "up-front" that a user has >>> the necessary privileges without relying on the (incorrect) >>> sledgehammer approach of requiring root. >> There isn't one and not even checking for uid=0 is correct. > > In short, Darren paints this as, "Look before you Leap" and believes > it to be "quite anti Python style". > > So, I would urge you to remove this check.
Shawn, So basically I agree with that what you and Darren are telling. On the other hand we were discussing the behavior with the xDesign team and we agreed to disable buttons if the user is unable to make some operation before the operation is executed. To follow those functional specification I don't know other way of implementing this then we've done in the GUI. Maybe someone could propose some other way? In our desktop other applications are doing exactly the same way as an example solaris-printmgr-wrapper What is happening we are running packagemanager with gksu: gksu /usr/bin/packagemanager in this case uid of the user is 0 even if this is normal user with special privileges. The gksu and not packagemanager is taking care about user privileges and access. Then in the packagemanager we are checking only UID so we are not checking named profiles, those are done by the underlying gksu. In the first phase we wanted to do something which will solve many problems for as and this simply works, but at some point we will be changing those bits for example to support user based images. As for now I would simply stick with what is there and move forward, since there are other more important issues such as performance and BE support to work on :) -- best Michal _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
