Re: PolicyKit integration (#490200)

From: Alexander Larsson <alexl redhat com>
To: stephane demurget free fr
Cc: nautilus-list gnome org
Subject: Re: PolicyKit integration (#490200)
Date: Sat, 21 Feb 2009 13:15:14 +0000

On Fri, 2009-02-20 at 21:54 +0100, stephane demurget free fr wrote:
> Do you think all those are possible and correct, or do you see an  
> alternative implementation? You have the best experience with  
> GIO/GVS/Nautilus, so I guess you could come up with the best  
> implementation plan, seeing the whole picture ;)

In general its almost always a bad idea to try to guess what will happen
when you start doing i/o. There are innumerable ways in which things can
go in ways you didn't expect (like i/o errors, weird filesystems, race
conditions with other apps, etc). The only stable and correct approach
is to just "do it" and handle the errors as they code. 

Of course, in some cases its also nice to check for *obvious* problems
before starting the operation, like we do when checking the destination
approximate space requirements before staring a copy. This is useful
because it lets you terminate early instead of waiting a long time
before getting an error. However you *still* need to check for and
handle out of space issues in every i/o operation. 

For the case of raising the priviledge of the app this is a risky thing,
and we don't want to risk doing that unnecessary, so its imho not a good
idea to guess when to do this.

> Could you sketch down a couple of points of your ideal implementation,  
> if it's not just a priviledged helper at the GFile level? Maybe you  
> thought something different since the blog post about the user  
> interaction already?

I haven't really had time to think about it, but the general approach is
to have a gvfs backend that accesses local files via a priviledged
helper. Then the nautilus file operations code would switch to using
this after authentication when it detects that local file operations
fail due to permission errors.

> What tears me is that it might be distribution-specific issues and  
> then I'd think of the PolKit integration as some sort of hack around  
> that, which is IMHO  not the way forward then.

I think its a combination. The distro should be able to mount i.e.
removable media such that you get write permissions on your usb sticks
or whatever. However, there is always cases where you really want a
priviledge increase, i.e. when you want to move around files in /etc,
give another user access to your files, or whatever.

For example, its considered a bad idea to log in to a graphical desktop
as root, since that gives increases privileges to *everything* and thus
you risk both malicious attacks and unintended mistakes in any app
affecting everything on the system. Instead it would make sense for a
sysadmin to log in as himself and only request privs for the specific
operations he want to do.

References:
- PolicyKit integration (#490200)
  - From: stephane . demurget

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]