Ubuntu
policykit-1 package

cannot disable something for everyone except a group

Bug #621416 reported by Thomas NOEL
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
policykit-1 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: policykit-1

I want to disable the org.freedesktop.upower.hibernate action for all my users, except for a "hibersus" group.

I try this pkla :

[Disable hibernate/suspend for all users]
Identity=unix-user:*
Action=org.freedesktop.upower.suspend;org.freedesktop.upower.hibernate
ResultActive=no
ResultInactive=no
ResultAny=no

[Ensable hibernate/suspend for the group hibersus]
Identity=unix-group:hibersus
Action=org.freedesktop.upower.suspend;org.freedesktop.upower.hibernate
ResultActive=yes
ResultInactive=no
ResultAny=no

I found this file simple and logical... but it doesn't work : users in the hibersus group cannot hibernate (like any other users). Reading "man pklocalauthority" I think the cause is the algorithm: unix-user:* takes precedence.

So, I know that this is not really a bugreport (wishlist, at least), but : how can I disable an action for everyone (user:*) except a group ? If I can't, I think there is a bug in polkit...

Thanks
--
Thomas

Revision history for this message
James Westby (james-w) wrote : Re: [Bug 621416] [NEW] cannot disable something for everyone except a group

On Fri, 20 Aug 2010 21:25:13 -0000, Thomas NOEL <email address hidden> wrote:
> Public bug reported:
>
> Binary package hint: policykit-1
>
> I want to disable the org.freedesktop.upower.hibernate action for all my
> users, except for a "hibersus" group.
>
> I try this pkla :
>
> [Disable hibernate/suspend for all users]
> Identity=unix-user:*
> Action=org.freedesktop.upower.suspend;org.freedesktop.upower.hibernate
> ResultActive=no
> ResultInactive=no
> ResultAny=no
>
> [Ensable hibernate/suspend for the group hibersus]
> Identity=unix-group:hibersus
> Action=org.freedesktop.upower.suspend;org.freedesktop.upower.hibernate
> ResultActive=yes
> ResultInactive=no
> ResultAny=no
>
> I found this file simple and logical... but it doesn't work : users in
> the hibersus group cannot hibernate (like any other users). Reading "man
> pklocalauthority" I think the cause is the algorithm: unix-user:* takes
> precedence.
>
> So, I know that this is not really a bugreport (wishlist, at least), but
> : how can I disable an action for everyone (user:*) except a group ? If
> I can't, I think there is a bug in polkit...

Did you try putting the policies at different precedences?

01-disable-...
02-enable-...

Thanks,

James

Revision history for this message
Thomas NOEL (thomas-noel) wrote :

Thanks @James,

Yes, I tried. The problem, I think, is the algorithm (man pklocalauthority) : « First, the user of the Subject is determined and the groups that the user belongs are looked up. For each group identity, the authorization entries are consulted in order. (...) Finally, the authorization entries are consulted using the user identity in the same manner. (...) Note that processing continues even after a match. »

I thought I could ban all users (unix-user:*) and authorize a group (unix-group:hibersus). But I can not : it is the prohibition of all users that will be taken into account at the end of the process... The order (user/group) does not matter.

If someone has another idea ... I can test ;)

Thanks

Revision history for this message
James Westby (james-w) wrote : Re: [Bug 621416] Re: cannot disable something for everyone except a group

On Sat, 21 Aug 2010 11:07:25 -0000, Thomas NOEL <email address hidden> wrote:
> Thanks @James,
>
> Yes, I tried. The problem, I think, is the algorithm (man
> pklocalauthority) : « First, the user of the Subject is determined and
> the groups that the user belongs are looked up. For each group identity,
> the authorization entries are consulted in order. (...) Finally, the
> authorization entries are consulted using the user identity in the same
> manner. (...) Note that processing continues even after a match. »
>
> I thought I could ban all users (unix-user:*) and authorize a group
> (unix-group:hibersus). But I can not : it is the prohibition of all
> users that will be taken into account at the end of the process... The
> order (user/group) does not matter.
>
> If someone has another idea ... I can test ;)

Try disabling for all groups, then enabling for a single group?

Thanks,

James

Revision history for this message
Thomas NOEL (thomas-noel) wrote :

Le 21 août 2010 à 13h39, James Westby a écrit :
> Try disabling for all groups, then enabling for a single group?

In fact, whatever I do with groups, it does not work. As the pklocalauthority
manpage said : « Finally, the authorization entries are consulted using the
user ».

A solution is to modifiy the file
/usr/share/polkit-1/actions/org.freedesktop.upower.policy and disable the
feature by default (and enable it for the group). But I'm looking for a
solution that does not change the system files.

Thanks,
--
Thomas

Revision history for this message
Thomas NOEL (thomas-noel) wrote :

OOOoooooooooopppsss... Forgive me.

Your solution works : I just have to create 2 pkla files in /etc/polkit/ :

  thomas@zepo:~$ cat /etc/polkit-1/localauthority/50-local.d/01-enable.pkla
  [Enable hibernate/suspend for the group hibersus]
  Identity=unix-group:hibersus
  Action=org.freedesktop.upower.suspend;org.freedesktop.upower.hibernate
  ResultActive=yes
  ResultInactive=no
  ResultAny=no

  thomas@zepo:~$ cat /etc/polkit-1/localauthority/50-local.d/02-disable.pkla
  [Disable hibernate/suspend for all groups]
  Identity=unix-group:*
  Action=org.freedesktop.upower.suspend;org.freedesktop.upower.hibernate
  ResultActive=no
  ResultInactive=no
  ResultAny=no

and it works like a charm.

Sorry...
--
Thomas (and now I have to find how to erase a bugreport ... ;) )

Changed in policykit-1 (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.