You are not logged in.
- Topics: Active | Unanswered
#1 2011-09-07 08:16:38
- olive
- Member
- From: Belgium
- Registered: 2008-06-22
- Posts: 1,490
Consolekit authorization
If we launch an X session with ck-launch-session (or with an appropriate windows manager), consolekit gives special authorizations to users physically logged on the machines (vs users remotely logged) (for example the permission to mount removable devices), ck-list-session say if consolekit considers that a user is physically logged or not (I do not quite understand how consolekit know this but it is with integration of the displaymanager or agetty). My question is how can this be configured? How can I know what power a physically connected user have? How can I be sure that (s)he cannot rm -rf / ? It seems very obscure and not very well documented. Does anyone can point me in the right direction.
P.S. I have already start a thread more or less on this topic ( https://bbs.archlinux.org/viewtopic.php?id=125946 ), but my question is a bit different and I prefer to make a new thread instead.
Offline
#2 2011-09-07 09:51:30
- .:B:.
- Forum Fellow
- Registered: 2006-11-26
- Posts: 5,819
- Website
Re: Consolekit authorization
Consolekit is all about more fine-grained control. There's hardly gonna be any users that will be able to rm -rf /, unless you explicitly allowed them to.
Consolekit's policy is to refuse privileges by default. You have to grant permissions explicitly.
I think consolekit is altogether pretty well documented: http://www.freedesktop.org/wiki/Software/ConsoleKit.
Last edited by .:B:. (2011-09-07 09:52:11)
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
#3 2011-09-07 10:06:17
- olive
- Member
- From: Belgium
- Registered: 2008-06-22
- Posts: 1,490
Re: Consolekit authorization
Consolekit is all about more fine-grained control. There's hardly gonna be any users that will be able to rm -rf /, unless you explicitly allowed them to.
Consolekit's policy is to refuse privileges by default. You have to grant permissions explicitly.
I think consolekit is altogether pretty well documented: http://www.freedesktop.org/wiki/Software/ConsoleKit.
The example of rm -rf / was extreme. But consolekit allow some privileges by default to users local users (at least in the default configuration of arch). Mounting something is not something normally allowed to users, it is a privilege. So for powering off the machine off, etc. So in a system where security is important it is neccessary to understand where it is configured. The documentation you point to me is more an API for developer. I am looking to the configuration files to see exactly what privileges users have and where it is configured.
Last edited by olive (2011-09-07 10:10:36)
Offline