Bug#549406: Acknowledgement (argyll: Please port to PolicyKit 1)

Mon, 30 Nov 2009 13:25:52 -0800 

Roland Mas wrote:
> Michael Biebl, 2009-11-26 12:02:18 +0100 :
> 
> [...]
> 
>> Is there an upstream bug tracker, i.e. have you forwarded this
>> upstream?  Should I do this?
> 
> There's no upstream bug tracker, only a mailing-list [1].  I'd be
> grateful if you did the forwarding, yes, since you're probably going to
> be much more informative than I could :-)

Hi Roland,

I investigated a bit more thoroughly, what argyll is doing wrt policykit.

So, what does it do [1]:
It installs a hal fdi file
/usr/share/hal/fdi/policy/10osvendor/19-color.fdi
which tells hal to set the access_control key for a certain class of usb 
devices.
Whenever such a usb device is connected, hal will apply an ACL to that device,
granting the currently active user full access to that device.
The PolicyKit file that is installed by argyll defines who to grant access:
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
That means, inactive users won't be granted access, only locally logged in users
that are active.

For all this to work, hal needs to be compiled with with acl-management and
policykit support, which it does no longer with 0.5.13-4 onwards.

So the hal fdi file and PolicyKit file are basically useless.

It has also to be noted, that the argyll package installs udev rules, which
applies mode 666 to those usb devices (which I btw consider a security risk!)
Applying a acl on top of that won't give you a lot.

My recommendation:
Drop the hal fdi files and PolicyKit files. Drop the dependency on policykit.
(this should be done in any case as it is superfluous as shown above).
But also: Drop chmoding the devices 666

Instead:
Use the udev-acl support in newer udev revisions and apply a ACL for the
currently active user on the fly. This requires a recent udev version (>= 146)
and consolekit installed.
For this to work, set the ACL_MANAGE=1 variable for the devices in your udev
rules instead of statically chmodding the device 666

If you want to see how this works, take a look at 
/lib/udev/rules.d/70-acl.rules.

Hope this helps,
Michael



[1] http://www.argyllcms.com/doc/Installing_Linux.html#PolicyKit
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to