Bug 11476

Summary: draksec does not modify permissions
Product: Mageia Reporter: Daniele B <daniele_bb>
Component: RPM PackagesAssignee: Colin Guthrie <mageia>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: olav, thierry.vignaud, vince.7145
Version: CauldronKeywords: Junior_job
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: drakxtools-15.68-1.mga4 CVE:
Status comment:

Description Daniele B 2013-10-15 17:36:14 CEST
When opening draksec the window does not show the current setting - all the dropdown menu are blank.

Moreover, changing the settings in any field does not affect anything; the files under /usr/share/polkit-1/actions are never modified (and they should be)


Theme name: oxygen-gtk
RPM: drakxtools-15.68-1.mga4
Kernel version = 3.12.0-desktop-0.rc5.1.mga4
Distribution=Mageia release 4 (Cauldron) for x86_64
CPU=Intel(R) Core(TM) i3 CPU       M 350  @ 2.27GHz
David Walser 2013-10-15 18:13:07 CEST

Hardware: x86_64 => All
Assignee: bugsquad => mageia

Comment 1 Colin Guthrie 2013-10-15 19:14:49 CEST
Implementation notes:

draksec will ship a new file:

/usr/share/polkit-1/rules.d/org.mageia.draksec.rules containing:

polkit.addRule(function(action, subject) {
  if (typeof draksecAuth != "function" || action.id.indexOf("org.mageia.") != 0)
    return polkit.Result.NOT_HANDLED;

  var tool = action.id.split(".")[2];
  var rv = draksecAuth(tool);
  if (rv != polkit.Result.NOT_HANDLED)
    polkit.log("draksec security policy for '" + tool + "' is overriden to '" + rv + "'");
  return rv;
});



The GUI will then change to read/write a file called /etc/polkit-1/rules.d/51-mageia-draksec.rules.

This file will contain e.g.:

var draksecAuth = function(tool) {
  switch (tool) {
    case 'drakconf': return polkit.Result.YES;
    case 'drakrpm': return polkit.Result.AUTH_SELF_KEEP;
  }
  return polkit.Result.NOT_HANDLED;
};


essentially for each tool that is overridden from the default, it will contain a case+return pair.

This should be fairly easy to parse using regex in perl. If the file does not exist, then default policy is applied.

The only tricky bit in the UI would be knowing what "default" means, (as it would require parsing all the action policy files) but this could be left out.


Ultimately the tool will likely become a lot simpler.

If someone wants to play at learning perl etc. then this is quite a simple task to implement.
Manuel Hiebel 2013-10-15 20:59:33 CEST

Keywords: (none) => Junior_job
CC: (none) => thierry.vignaud

Olav Vitters 2013-10-15 23:36:49 CEST

CC: (none) => olav

Vince45 2013-10-16 16:31:12 CEST

CC: (none) => vince.7145

Comment 2 Colin Guthrie 2013-11-21 22:33:59 CET
This should now be implemented in git, namely this commit:
http://gitweb.mageia.org/software/drakx/commit/?id=3b641cb27c28bdf42865ee15f7ccd2b6c9e9d3d1

(although there were a few other small tidyups).
Comment 3 Colin Guthrie 2013-11-27 13:24:20 CET
Completed as per above comment.

Status: NEW => RESOLVED
Resolution: (none) => FIXED