[gvfs/wip/oholy/admin-hang: 1/2] admin: Make the privileged group configurable




commit f259d0361d9c3235daf997babe2be8335c65c1c7
Author: Ondrej Holy <oholy redhat com>
Date:   Wed May 12 10:19:56 2021 +0200

    admin: Make the privileged group configurable
    
    Currently, `wheel` group is hardcoded in the `.rules` file which is there
    to prevent redundant password prompt when starting gvfsd-admin. The Debian
    based systems obviously uses `sudo` group instead of `wheel`. Let's make
    the privileged group configurable.
    
    https://gitlab.gnome.org/GNOME/gvfs/-/issues/565

 daemon/meson.build                                            | 11 +++++++++--
 ...-operations.rules => org.gtk.vfs.file-operations.rules.in} |  4 ++--
 meson.build                                                   |  4 +++-
 meson_options.txt                                             |  1 +
 4 files changed, 15 insertions(+), 5 deletions(-)
---
diff --git a/daemon/meson.build b/daemon/meson.build
index dffeef3e..c89ef407 100644
--- a/daemon/meson.build
+++ b/daemon/meson.build
@@ -374,8 +374,15 @@ if enable_admin
     install_dir: gvfs_datadir / 'polkit-1/actions',
   )
 
-  install_data(
-    gvfs_namespace + '.file-operations.rules',
+  rules = gvfs_namespace + '.file-operations.rules'
+
+  rules_conf = configuration_data()
+  rules_conf.set('PRIVILEGED_GROUP', privileged_group)
+
+  configure_file(
+    input: rules + '.in',
+    output: rules,
+    configuration: rules_conf,
     install_dir: gvfs_datadir / 'polkit-1/rules.d',
   )
 endif
diff --git a/daemon/org.gtk.vfs.file-operations.rules b/daemon/org.gtk.vfs.file-operations.rules.in
similarity index 78%
rename from daemon/org.gtk.vfs.file-operations.rules
rename to daemon/org.gtk.vfs.file-operations.rules.in
index fb137327..a3a2f643 100644
--- a/daemon/org.gtk.vfs.file-operations.rules
+++ b/daemon/org.gtk.vfs.file-operations.rules.in
@@ -1,4 +1,4 @@
-// Allows users belonging to wheel group to start gvfsd-admin without
+// Allows users belonging to privileged group to start gvfsd-admin without
 // authorization. This prevents redundant password prompt when starting
 // gvfsd-admin. The gvfsd-admin causes another password prompt to be shown
 // for each client process using the different action id and for the subject
@@ -7,7 +7,7 @@ polkit.addRule(function(action, subject) {
         if ((action.id == "org.gtk.vfs.file-operations-helper") &&
             subject.local &&
             subject.active &&
-            subject.isInGroup ("wheel")) {
+            subject.isInGroup ("@PRIVILEGED_GROUP@")) {
             return polkit.Result.YES;
         }
 });
diff --git a/meson.build b/meson.build
index b881ebe3..4e5e021b 100644
--- a/meson.build
+++ b/meson.build
@@ -299,6 +299,7 @@ endif
 config_h.set('HAVE_GCR', enable_gcr)
 
 # *** Check if we should build with admin backend ***
+privileged_group = get_option('privileged_group')
 enable_admin = get_option('admin')
 if enable_admin
   libcap_dep = dependency('libcap')
@@ -493,7 +494,8 @@ meson.add_install_script(
 summary({
   'systemduserunitdir': systemd_systemduserunitdir,
   'tmpfilesdir': systemd_tmpfilesdir,
-}, section: 'Directories')
+  'privileged_group': privileged_group,
+}, section: 'Configuration')
 
 summary({
   'admin': enable_admin,
diff --git a/meson_options.txt b/meson_options.txt
index 32f10d42..5059161b 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -1,5 +1,6 @@
 option('systemduserunitdir', type: 'string', value: '', description: 'custom directory for systemd user 
units, or \'no\' to disable')
 option('tmpfilesdir', type: 'string', value: '', description: 'custom directory for tmpfiles.d config files, 
or \'no\' to disable')
+option('privileged_group', type: 'string', value: 'wheel', description: 'custom name for group that has 
elevated permissions')
 
 option('admin', type: 'boolean', value: true, description: 'build with admin backend')
 option('afc', type: 'boolean', value: true, description: 'build with afc backend and volume monitor')


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]