https://bugzilla.mindrot.org/show_bug.cgi?id=1450
Colin Watson <cjwatson@debian.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |cjwatson@debian.org
--- Comment #5 from Colin Watson <cjwatson@debian.org> 2008-05-26 06:29:41 ---
Sorry I didn't reply to this until now. Sending this patch upstream had
been on my to-do list and I only happened to notice by chance today
that Tomas had helpfully done so for me; apparently I didn't notice I'd
been CCed ...
The policy mechanism in question is for e.g. GUI administrative tools
that want to escalate to root; this allows them to start with much of
the GUI greyed out and activated only once an Unlock button is pressed,
rather than the whole GUI being run as root or - if it's split such
that only a backend process is run as root - failing only when you
actually try to apply changes. It's not a policy mechanism for OpenSSH
itself, and does not overlap with OpenSSH's Match support in any way as
far as I can see.
I can't comment on whether utmp/wtmp would have been suitable; I didn't
write ConsoleKit or PolicyKit, only this patch (accompanied by a not
inconsiderable amount of swearing).
On systems that use ConsoleKit and PolicyKit, you can't use GUI
administrative tools over SSH's X forwarding without sshd registering
with ConsoleKit. This caused us problems with LTSP thin clients. In
that sense, this registration is required on our platform; it's not
critical in that you can still log in without it, but you definitely
lose important functionality without it (not that that's OpenSSH's
fault, it's just a matter of keeping up).
The D-BUS API is insanely verbose and I'm not exactly its biggest fan.
However, I did send a report to the ConsoleKit developers that the
separate set_active business really should be replaced by an extra
parameter to ck_connector_open_session_with_parameters. I haven't
upgraded to a newer upstream version of ConsoleKit yet, so I can't yet
say whether that problem has been fixed. If it has, that would cut down
the size of the registration code considerably.
Separating this out into a separate helper process is tricky because
the registering process needs to stay running (D-BUS notices when it
goes away and tells ConsoleKit to tear down the session, saving on the
need for unregistration code which might fail to get run in the event
of a crash), and we need to set an environment variable based on the
cookie returned by the registration procedure. This shouldn't be an
insurmountable problem, though; I'll have a think about this.
I recognise the licensing problem (though I confess I'd overlooked it
when I first wrote this patch) and don't have a good answer right now.
gnu.org says that the Academic Free Public License is a non-copyleft
GPL-incompatible licence, and I guess they'd be likely to say so if it
were a copyleft; but I haven't read it enough to determine if it adds
any interesting restrictions over and above OpenSSH's licence.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Colin Watson <cjwatson@debian.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |cjwatson@debian.org
--- Comment #5 from Colin Watson <cjwatson@debian.org> 2008-05-26 06:29:41 ---
Sorry I didn't reply to this until now. Sending this patch upstream had
been on my to-do list and I only happened to notice by chance today
that Tomas had helpfully done so for me; apparently I didn't notice I'd
been CCed ...
The policy mechanism in question is for e.g. GUI administrative tools
that want to escalate to root; this allows them to start with much of
the GUI greyed out and activated only once an Unlock button is pressed,
rather than the whole GUI being run as root or - if it's split such
that only a backend process is run as root - failing only when you
actually try to apply changes. It's not a policy mechanism for OpenSSH
itself, and does not overlap with OpenSSH's Match support in any way as
far as I can see.
I can't comment on whether utmp/wtmp would have been suitable; I didn't
write ConsoleKit or PolicyKit, only this patch (accompanied by a not
inconsiderable amount of swearing).
On systems that use ConsoleKit and PolicyKit, you can't use GUI
administrative tools over SSH's X forwarding without sshd registering
with ConsoleKit. This caused us problems with LTSP thin clients. In
that sense, this registration is required on our platform; it's not
critical in that you can still log in without it, but you definitely
lose important functionality without it (not that that's OpenSSH's
fault, it's just a matter of keeping up).
The D-BUS API is insanely verbose and I'm not exactly its biggest fan.
However, I did send a report to the ConsoleKit developers that the
separate set_active business really should be replaced by an extra
parameter to ck_connector_open_session_with_parameters. I haven't
upgraded to a newer upstream version of ConsoleKit yet, so I can't yet
say whether that problem has been fixed. If it has, that would cut down
the size of the registration code considerably.
Separating this out into a separate helper process is tricky because
the registering process needs to stay running (D-BUS notices when it
goes away and tells ConsoleKit to tear down the session, saving on the
need for unregistration code which might fail to get run in the event
of a crash), and we need to set an environment variable based on the
cookie returned by the registration procedure. This shouldn't be an
insurmountable problem, though; I'll have a think about this.
I recognise the licensing problem (though I confess I'd overlooked it
when I first wrote this patch) and don't have a good answer right now.
gnu.org says that the Academic Free Public License is a non-copyleft
GPL-incompatible licence, and I guess they'd be likely to say so if it
were a copyleft; but I haven't read it enough to determine if it adds
any interesting restrictions over and above OpenSSH's licence.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs