clock riddle

Michal Jaegermann michal at harddata.com
Tue Feb 24 18:09:13 UTC 2009


On Tue, Feb 24, 2009 at 08:10:07AM -0600, Chris Adams wrote:
> 
> The question is: what path is this taking to get the required access
> level (I guess PolicyKit)?  What other things may be available this way
> (is there any limit)?  How was this audited before being added to
> Fedora?
> 
> There is a bug about this in RH BZ (450304) that has been open since
> 2008-06-06 with basically no action.

Here is a script which allows to check and override defaults in
question:

#!/bin/sh

# Change insane defaults for messing with system clock.
# To grant/revoke some particular action to a given user use polkit-auth

if [ "$1" ] ; then
    show=yes
fi

actions="
org.gnome.clockapplet.mechanism.settimezone
org.gnome.clockapplet.mechanism.settime
org.gnome.clockapplet.mechanism.configurehwclock
"

if [ "$show" = yes ] ; then
    for act in $actions ; do
        polkit-action --action $act
    done
else
    for act in $actions ; do
        polkit-action --set-defaults-active $act  auth_admin_keep_session
    done
fi

If you want there 'auth_admin_keep_session' or something else
(see 'man polkit-action' for possibilities) that is up to you.

> What mechanism is there to keep track of these policies?

No idea; but apparently it does not work too well.
I did not try so far to audit what are defaults for anything which
shows up when you type 'polkit-action'.  Quite likely I should.

   Michal




More information about the fedora-test-list mailing list