[gvfs/wip/oholy/admin-hang: 3/4] admin: Make the privileged group configurable
- From: Ondrej Holy <oholy src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gvfs/wip/oholy/admin-hang: 3/4] admin: Make the privileged group configurable
- Date: Mon, 7 Jun 2021 07:28:21 +0000 (UTC)
commit 141eee12c5c6c37e098cef2f1a80d1df58168d5b
Author: Ondrej Holy <oholy redhat com>
Date: Wed May 12 10:19:56 2021 +0200
admin: Make the privileged group configurable
Currently, `wheel` group is hardcoded in the `.rules` file which is there
to prevent redundant password prompt when starting gvfsd-admin. The Debian
based systems obviously uses `sudo` group instead of `wheel`. Let's make
the privileged group configurable.
https://gitlab.gnome.org/GNOME/gvfs/-/issues/565
daemon/meson.build | 11 +++++++++--
...-operations.rules => org.gtk.vfs.file-operations.rules.in} | 4 ++--
meson.build | 4 +++-
meson_options.txt | 1 +
4 files changed, 15 insertions(+), 5 deletions(-)
---
diff --git a/daemon/meson.build b/daemon/meson.build
index dffeef3e..c89ef407 100644
--- a/daemon/meson.build
+++ b/daemon/meson.build
@@ -374,8 +374,15 @@ if enable_admin
install_dir: gvfs_datadir / 'polkit-1/actions',
)
- install_data(
- gvfs_namespace + '.file-operations.rules',
+ rules = gvfs_namespace + '.file-operations.rules'
+
+ rules_conf = configuration_data()
+ rules_conf.set('PRIVILEGED_GROUP', privileged_group)
+
+ configure_file(
+ input: rules + '.in',
+ output: rules,
+ configuration: rules_conf,
install_dir: gvfs_datadir / 'polkit-1/rules.d',
)
endif
diff --git a/daemon/org.gtk.vfs.file-operations.rules b/daemon/org.gtk.vfs.file-operations.rules.in
similarity index 78%
rename from daemon/org.gtk.vfs.file-operations.rules
rename to daemon/org.gtk.vfs.file-operations.rules.in
index fb137327..a3a2f643 100644
--- a/daemon/org.gtk.vfs.file-operations.rules
+++ b/daemon/org.gtk.vfs.file-operations.rules.in
@@ -1,4 +1,4 @@
-// Allows users belonging to wheel group to start gvfsd-admin without
+// Allows users belonging to privileged group to start gvfsd-admin without
// authorization. This prevents redundant password prompt when starting
// gvfsd-admin. The gvfsd-admin causes another password prompt to be shown
// for each client process using the different action id and for the subject
@@ -7,7 +7,7 @@ polkit.addRule(function(action, subject) {
if ((action.id == "org.gtk.vfs.file-operations-helper") &&
subject.local &&
subject.active &&
- subject.isInGroup ("wheel")) {
+ subject.isInGroup ("@PRIVILEGED_GROUP@")) {
return polkit.Result.YES;
}
});
diff --git a/meson.build b/meson.build
index b881ebe3..4e5e021b 100644
--- a/meson.build
+++ b/meson.build
@@ -299,6 +299,7 @@ endif
config_h.set('HAVE_GCR', enable_gcr)
# *** Check if we should build with admin backend ***
+privileged_group = get_option('privileged_group')
enable_admin = get_option('admin')
if enable_admin
libcap_dep = dependency('libcap')
@@ -493,7 +494,8 @@ meson.add_install_script(
summary({
'systemduserunitdir': systemd_systemduserunitdir,
'tmpfilesdir': systemd_tmpfilesdir,
-}, section: 'Directories')
+ 'privileged_group': privileged_group,
+}, section: 'Configuration')
summary({
'admin': enable_admin,
diff --git a/meson_options.txt b/meson_options.txt
index 32f10d42..5059161b 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -1,5 +1,6 @@
option('systemduserunitdir', type: 'string', value: '', description: 'custom directory for systemd user
units, or \'no\' to disable')
option('tmpfilesdir', type: 'string', value: '', description: 'custom directory for tmpfiles.d config files,
or \'no\' to disable')
+option('privileged_group', type: 'string', value: 'wheel', description: 'custom name for group that has
elevated permissions')
option('admin', type: 'boolean', value: true, description: 'build with admin backend')
option('afc', type: 'boolean', value: true, description: 'build with afc backend and volume monitor')
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
