tangent: PolicyKit and PAM
Matthew Miller
mattdm at mattdm.org
Tue Nov 24 18:18:21 UTC 2009
On Tue, Nov 24, 2009 at 12:44:00PM -0500, Matthias Clasen wrote:
> > 1. In fact, a PAM-backed authority for PolicyKit might be interesting and
> > useful -- but there's a tangent.
> What do you think PolicyKit is using for authentication ?
> See
> http://cgit.freedesktop.org/PolicyKit/tree/src/polkitagent/polkitagenthelper.c
It uses it for authentication *and* for authorization, but it uses one
service name (polkit-1) for everything (which is in turn configured by
default to just defer to the standard system-auth service definition). This
arrangement isn't particularly useful for a flexible authorization policy.
You can use it for the big-hammer "user-is-locked out" stuff, but not for
things like "local users can install packages without a password, only
during business hours", which PAM is perfectly expressive enough to do (with
existing modules, even).
I don't think, offhand, that it could be quite as flexible as the Local
Authority currently in PolicyKit or via some fancy LDAP Authority, but I
don't think it necessarily would need to be. The main advantage would be
that instead of having yet another way (and again, I want to emphasize that
I think PolicyKit is good work) to implement authorization policy, one could
use PolicyKit with a well-understood mechanism that's been in production use
since the 90s.
Like I said, this is a tangent, and I'm certainly not expecting anyone to
work on this. But it'd be cool if they did.
--
Matthew Miller <mattdm at mattdm.org>
Senior Systems Architect
Cyberinfrastructure Labs / Instructional & Research Computing
Computing & Information Technology
Harvard School of Engineering & Applied Sciences
More information about the fedora-devel-list
mailing list