[Adding Holger, the original submitter, to the CC - please see the last two
messages for some more context]
Hi Simon,
Wow, thank you so much for the detailed explanation!
> In general: writing some document on how to replace use of at_console
> policies (and in general all <allow send_*> rules) with polkit has been
> on my to-do list for a while, but it deserves a better writeup than I
> am able to do right now.
That's absolutely fine and thank you so much for your detailed
explanation you provided in your previous mail!
Alas, however, I'm finding it difficult summarising it in the Lintian
description for this tag to solve Holger's original question/query.
Can you help?
The description for the tag is:
Tag: dbus-policy-at-console
Severity: normal
Certainty: certain
Info: The package contains D-Bus policy configuration that uses the
deprecated <tt>at_console</tt> condition to impose a different policy
for users who are "logged in at the console" according to
systemd-logind, ConsoleKit or similar APIs, such as:
.
<policy context="default">
<deny send_destination="com.example.PowerManagementDaemon"/>
</policy>
<policy at_console="true">
<allow send_destination="com.example.PowerManagementDaemon"/>
</policy>
.
The maintainers of D-Bus recommend that services should allow or deny
method calls according to broad categories that are not typically altered
by the system administrator (usually either "all users", or only root
and/or a specified system user). If finer-grained authorization
is required, the service should accept the method call message, then call
out to PolicyKit to decide whether to honor the request. PolicyKit can
use system-administrator-configurable policies to make that decision,
including distinguishing between users who are "at the console" and
those who are not.
Ref: https://bugs.freedesktop.org/show_bug.cgi?id=39611
… or perhaps we should wait until the aforementioned docs are written such
that we can link to them?
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
