diff options
author | Miloslav Trmač <mitr@redhat.com> | 2013-04-18 21:14:08 +0200 |
---|---|---|
committer | Miloslav Trmač <mitr@redhat.com> | 2013-05-06 19:50:18 +0200 |
commit | 6859857757d7f4b8908970f12a12eee891d87dda (patch) | |
tree | 2e10029ab6e5fc41aacfff8f5f1a7e3b7cc3f423 /docs/polkit/overview.xml | |
parent | 31b138d17f259f2d06a86dbbd31202ef43dbfa41 (diff) |
More warnings about using auth_self*
Suggested by Colin Walters.
https://bugs.freedesktop.org/show_bug.cgi?id=57284
Diffstat (limited to 'docs/polkit/overview.xml')
-rw-r--r-- | docs/polkit/overview.xml | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/docs/polkit/overview.xml b/docs/polkit/overview.xml index fb14e50..150a7bc 100644 --- a/docs/polkit/overview.xml +++ b/docs/polkit/overview.xml @@ -74,6 +74,24 @@ <listitem> <para> + <emphasis role='bold'>DO</emphasis> consider the impact of the + chosen implicit authorizations on multi-user systems. Generally, + ordinary users should be able to neither modify important system's + behavior for other users, nor view other users' private data. If + your application needs an authorization framework at all, it is + fairly likely that the default configuration should deny + authorization in at least some cases. Default to using + <literal>auth_admin</literal>* instead of + <literal>auth_self</literal>*. (On single-user desktops, the + single user is typically configured as a polkit administrator, so + the two variants behave equally. On multi-user systems, + non-administrator users will be restricted by the default + configuration.) + </para> + </listitem> + + <listitem> + <para> <emphasis role='bold'>DO</emphasis> pass polkit variables along with <link linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.CheckAuthorization">CheckAuthorization()</link> @@ -261,8 +279,10 @@ that can be used together with <ulink url="http://developer.gnome.org/gtk3/unstable/GtkLockButton.html"><type>GtkLockButton</type></ulink>. Note that for <type>GtkLockButton</type> to work well, the - polkit action backing it should use <literal>auth_admin_keep</literal> or - <literal>auth_self_keep</literal> for its implicit authorizations. + polkit action backing it should use <literal>auth_admin_keep</literal> + for its implicit authorizations (or more rarely + <literal>auth_self_keep</literal> for services which don't affect other + users). This is often used to implement an <ulink url="http://developer.gnome.org/hig-book/3.2/hig-book.html#windows-instant-apply">instant apply</ulink> paradigm whereby the user |