diff options
| author | Thomas Haller <thaller@redhat.com> | 2019-12-10 08:51:03 +0100 |
|---|---|---|
| committer | Thomas Haller <thaller@redhat.com> | 2019-12-11 11:52:05 +0100 |
| commit | 6d7446e52f5bfe379c2b1f54f9244b33fd236e32 (patch) | |
| tree | 769e891b307fa5d68c924d57379c8fadae8ce3d7 /configure.ac | |
| parent | c21c6bc0be2a4467402bc2d8718859dedb10b676 (diff) | |
core: add main.auth-polkit option "root-only"
We always build with PolicyKit support enabled, because it has no
additional dependencies, beside some D-Bus calls.
However, in NetworkManager.conf the user could configure
"main.auth-polkit" to disable PolicyKit. However, previously it would
only allow to disable PolicyKit while granting access to all users.
I think it's useful to have an option that disables PolicyKit and grants
access only to root. I think we should not go too far in implementing
our own authorization mechanisms beside PolicyKit (e.g. you cannot
disable PolicyKit and grant access based on group membership of the
user). However, disabling PolicyKit can be useful sometimes, and it's
simple to implement a "root-only" setup.
Note one change is that when NetworkManager now runs without a D-Bus
connection (in initrd), it would deny all non-root requests. Previously
it would grant access. I think there should be little difference in
practice, because if we have no D-Bus we also don't have any requests to
authenticate.
Diffstat (limited to 'configure.ac')
| -rw-r--r-- | configure.ac | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/configure.ac b/configure.ac index 70d8ff29cb..44bf51a11f 100644 --- a/configure.ac +++ b/configure.ac @@ -614,18 +614,18 @@ AM_CONDITIONAL(WITH_JSON_VALIDATION, test "${enable_json_validation}" != "no") # default configuration for main.auth-polkit. User can always enable/disable polkit # authorization via config. AC_ARG_ENABLE(polkit, - AS_HELP_STRING([--enable-polkit=yes|no], + AS_HELP_STRING([--enable-polkit=yes|no|root-only], [set default value for auth-polkit configuration option. This value can be overwritten by NM configuration. 'disabled' is an alias for 'no']), [enable_polkit=${enableval}], [enable_polkit=yes]) -if (test "${enable_polkit}" != "no" -a "${enable_polkit}" != "disabled"); then +if test "${enable_polkit}" == "root-only" ; then + enable_polkit='root-only' +elif test "${enable_polkit}" != "no" -a "${enable_polkit}" != "disabled" ; then enable_polkit=true - AC_DEFINE(NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT, "true", [The default value of the auth-polkit configuration option]) - AC_SUBST(NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT_TEXT, true) else enable_polkit=false - AC_DEFINE(NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT, "false", [The default value of the auth-polkit configuration option]) - AC_SUBST(NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT_TEXT, false) fi +AC_DEFINE_UNQUOTED(NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT, "$enable_polkit", [The default value of the auth-polkit configuration option]) +AC_SUBST(NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT_TEXT, "$enable_polkit") PKG_CHECK_MODULES(POLKIT, [polkit-agent-1 >= 0.97], [have_pk_agent=yes],[have_pk_agent=no]) AC_ARG_ENABLE(polkit-agent, |