On 01.02.2012 23:50, Brian Potkin wrote: > On Wed 01 Feb 2012 at 22:36:22 +0100, Michael Biebl wrote: > >>> On mer., 2012-02-01 at 19:54 +0000, Brian Potkin wrote: >>>> >>>> In brief: /etc/polkit-1/localauthority/50-local.d/ seems to the place to >>>> inform Policykit about local policy, so one solution would be for the >>>> user to put .pkla files there. An example might be: >>>> >>>> [udisks] >>>> Identity=unix-group:plugdev >>>> Action=org.freedesktop.udisks* >>>> ResultAny=yes >> >> I wouldn't recommend doing that. > > I'd be interested in knowing why. Is it using 50-local.d for this > purpose or something in the structure of the example which is not > acceptable.
The purpose of the plugdev group was previously defined as allowing users to mount removable media. By granting access to org.freedesktop.udisks* merely by being member of that group, those users can now format your system drive. I don't think you want that. And there's a lot of other stuff which won't work if your session is not marked as active, like network-manager, packagekit, upower, etc... Basically everything which has <allow_active>yes</allow_active> in /usr/share/polkit-1/actions/. It just isn't feasible anymore to workaround that by creating groups for all those different purposes and adding users manually. So all in all I don't think it's a good idea to document such a workaround as a somehow "blessed" method to deal with this. For now, I'd just recommend to use a supported display manager. The problem with startx resp. the 90consolekit script is, that it is run as unprivileged user and CK no longer trusts this context. That said, I don't think this problem is unfixable. I guess what it requires is that the PAM stack is setting up the right context so CK can trust it. Cheers, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
