Review Request 129983: [RFC] PoC patch for polkit support in kio.

Chinmoy Ranjan Pradhan chinmoyrp65 at gmail.com
Wed Mar 22 17:09:41 UTC 2017



> On March 22, 2017, 10:08 a.m., Elvis Angelaccio wrote:
> > src/ioslaves/file/kauth/file.actions, lines 1-5
> > <https://git.reviewboard.kde.org/r/129983/diff/5/?file=492986#file492986line1>
> >
> >     I don't see the advantage of using a single kauth action. This way you are generating only one "generic" polkit action that you can either enable or disable. Instead if we used one polkit action per operation (del, rmdir, etc.) we could allow a more fine-grained control. For example, a sysadmin could decide that the users can create files in write protected locations, but they cannot delete existing files.

Some operation may use more than one polkit action like Delete. If we use one polkit action per operation then we will have to provide credentials for every polkit action that operation might use. Though we can add necessary code for this but it will only complicate the matter.

> we could allow a more fine-grained control

Does this involve editing the policy file directly or just writing a config file? In later case we can provide control over execution of actions within the ioslave. 'execWithRoot' can perform a check prior to execution of the polkit action.


- Chinmoy Ranjan


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/129983/#review102932
-----------------------------------------------------------


On March 14, 2017, 2:48 p.m., Chinmoy Ranjan Pradhan wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/129983/
> -----------------------------------------------------------
> 
> (Updated March 14, 2017, 2:48 p.m.)
> 
> 
> Review request for KDE Frameworks, David Faure and Elvis Angelaccio.
> 
> 
> Repository: kio
> 
> 
> Description
> -------
> 
> This is regarding the GSOC idea https://community.kde.org/GSoC/2017/Ideas#Project:_Polkit_support_in_KIO.
> 
> This patch intends to demonstrate one possible approach to provide polkit support in kio. Here its only for the delete operation. This is based on the patch in task https://phabricator.kde.org/T5070.
> 
> The approach is as follows;
> 1. Whenever file ioslave gets access denied error it calls the method *execWithRoot* with the action that requires priviledge, the path of items
>    upon which action needs to be performed and a warning ID as arguments.
> 2. *execWithRoot* then executes the KAuth::Action *org.kde.kio.file.execute*. 
> 3. This Kauth::Action has its Persistence set too 'session'. This means that after authentication the restrictions are dropped for a while, for    
>    about 5 minutes. This is similar to the behaviour of sudo command.
> 4. During this time we can perform any action as a privileged user without any authentication. So to prevent any mishap i added a warning box which
>    would popup before performing any action(only during this period).
> 5. After the said time interval the root privileges are droped and calling *execWithRoot* should show the usual authentication dialog.
> 
> 
> Diffs
> -----
> 
>   src/ioslaves/file/CMakeLists.txt b9132ce 
>   src/ioslaves/file/file.h 109ea80 
>   src/ioslaves/file/file.cpp eaf6c88 
>   src/ioslaves/file/file_unix.cpp 82eb11a 
>   src/ioslaves/file/kauth/CMakeLists.txt PRE-CREATION 
>   src/ioslaves/file/kauth/file.actions PRE-CREATION 
>   src/ioslaves/file/kauth/helper.h PRE-CREATION 
>   src/ioslaves/file/kauth/helper.cpp PRE-CREATION 
> 
> Diff: https://git.reviewboard.kde.org/r/129983/diff/
> 
> 
> Testing
> -------
> 
> 
> File Attachments
> ----------------
> 
> warning dialog
>   https://git.reviewboard.kde.org/media/uploaded/files/2017/03/09/d42570e8-aedf-4c02-801e-362a68755c2c__polkit_integration.png
> 
> 
> Thanks,
> 
> Chinmoy Ranjan Pradhan
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20170322/c4db15f3/attachment.html>


More information about the Kde-frameworks-devel mailing list