This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 538615

Summary: put Local Authority config data files in, and read from, /etc/security/polkit-1/...
Product: [Fedora] Fedora Reporter: seth vidal <svidal>
Component: polkitAssignee: David Zeuthen <davidz>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: a.badger, agk, amcnabb, bloch, davidz, k.georgiou, laurent.rineau__fedora, mattdm, mclasen, mharris, nsoranzo, rjones, stijn, tcallawa, tmraz
Target Milestone: ---Keywords: Patch, Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-15 16:40:03 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Attachments:
Description Flags
Patch to use /etc/security/polkit-1 instead of /var/lib/polkit-1
none
specfile patch
none
patch against current (as of Nov 13th) git none

Description seth vidal 2009-11-18 17:48:19 EST
Description of problem:
polkit seems to be putting files in /var/lib which are labeled as .pkla or policy files but they act like config files - in much the same way the /etc/pam.d/ files are config files.

In addition the files in /etc/polkit-1 are labeled with:

# DO NOT EDIT THIS FILE, it will be overwritten on update.


the files in /etc should be config files and the files in /var/lib should be the ones regenerated on update.
Comment 1 Matthew Miller 2009-11-19 06:51:23 EST
*** Bug 538779 has been marked as a duplicate of this bug. ***
Comment 2 Matthew Miller 2009-11-19 06:53:52 EST
I suggest /etc/security/polkit as the best location for these files (modeled after the existing console.apps configuration infrastructure).
Comment 3 Matthias Clasen 2009-11-23 11:30:38 EST
1. polkit installs no files below /var/lib/polkit-1/
2. polkit-desktop-policy does install files there, but they are not config files
Comment 4 Matthew Miller 2009-11-23 11:46:51 EST
Re comment #3: okay, fair enough. But:

1. It installs "do-not-edit" files in /etc, which in turn point to the man page, which points to /var/lib as the location for config files.

This is the issue; the intended-for-a-package-system config files should be read from /usr/share/polkit/[...], and the intended-to-be-edited-or-created-manually files should be in /etc/security/polkit/[...].

2. And that's what should go in /usr/share, yeah?
Comment 5 Matthias Clasen 2009-11-23 12:03:37 EST
Some of the directories below /var/lib/polkit-1/localauthority.d are machine-specific and thus not appropriate below /usr/share
Comment 6 Matthew Miller 2009-11-23 12:18:05 EST
One model in that case is for the files to be installed in /usr/share and for config files in /etc to point to the ones intended to be active for that machine.

Alternately, I think there's enough real-world precedent for putting rpm-managed config files in /etc, and the localauthority subdirectory scheme well-defined enough, that moving that whole tree to /etc/security/polkit-1/localauthority.d would be an improvement over the current state. (Example: fontconfig, and also how gdm used to be.)

In my mind, that's a much less serious problem than vital system policy configuration (as opposed to system state info) unexpectedly living in /var.
Comment 7 seth vidal 2009-11-23 12:18:26 EST
the .pkla files are edited by humans - much like yum .repo files. or pam config files.

If you want to have a hierarchy of them then have the hierarchy be:

/usr/share/polkit/ <-- system-installed defaults
/etc/security/polkit/localauthority.d/{10-vendor.d  20-org.d  30-site.d  50-local.d  90-mandatory.d}

and do away with the /var/lib/polkit entries altogether.
Comment 8 Matthew Miller 2009-11-23 12:23:42 EST
Oh, I should add: the file installed by polkit-desktop-policy clearly *is* a
config file. It's just not a config file that's intended to be user-modified.

Rather than just "# DO NOT EDIT THIS FILE, it will be overwritten on update.",
the comment at the top of that file might be more helpful as:

# DO NOT EDIT THIS FILE; it will be overwritten on update.
#
# Please refer to the pklocalauthority man page for appropriate
# locations for system- and site-specific .pkla files.
#
Comment 9 Toshio Ernie Kuratomi 2009-11-23 13:18:31 EST
Looking at what's in the /var/lib/polkit-1 hierarchy, it definitely does not belong in /var/.  Here's the FHS entry for /var/lib:

"""
This hierarchy holds state information pertaining to an application or the system. State information is data that programs modify while they run, and that pertains to one specific host. Users must never need to modify files in /var/lib to configure a package's operation.
"""
  http://www.pathname.com/fhs/pub/fhs-2.3.html#VARLIBVARIABLESTATEINFORMATION

Having users place new files under directories in the /var/ hierarchy in order to configure the service is definitely included in the spirit of "never need to modify files in /var/lib/ to configure a package".  Where to put the files is not so clear but I see two methods.  Either follow gconf's somewhat contentious example and put everything under /etc/ or follow Matthew Miller's suggestion and put the defaults under /usr/share and the user editable files that override the defaults in /etc/.  The latter is what I recommend as Debian has moved the gconf default schema files to /usr/share and Havoc has stated that putting gconf defaults in /etc/ was probably a mistake so it would be better that we don't repeat the same mistake here.

Note, for this comment:
> Some of the directories below /var/lib/polkit-1/localauthority.d are
> machine-specific and thus not appropriate below /usr/share  

There's several options.

1) Only 10-vendor.d goes below /usr/share.  Those are rpm managed files provided by the vendor and intended to be overridden by the local admins in /etc/.  Any policy files that applications or fedora packages should end up in 10-vendor.d
2) Parallel directories in /usr/share and /etc.  Vendor and local admins use a package manager to provision the vendor/org/site defaults in /usr/share/.  Admins of the specific machine make changes in /etc/.

I think the confusion factor is very high in option 2.  Option 1 is the better choice here.

Note 2: It was suggested that we want to have different policies for Fedora Desktop, Fedora Server, Fedora, etc spins.  Do we need two vendor directories?  So that the application package can drop a default policy into one vendor dir and the polkit-desktop-policy package canoverride those if necessary in the second vendor dir?
Comment 10 Matthias Clasen 2009-11-23 13:31:41 EST
I have no interest in fighting FHS compliance wars here, thats really a waste of time. 

What is or is not a config file is really pretty much in the eye of the beholder. Something thats data to app A can very well be configuration for app B, and something can be configuration on a distro-level without being meant to be edited locally.
 
David will certainly justify his choices when he comes back from vacation.
Comment 11 Matthias Clasen 2009-11-23 13:40:17 EST
> Note 2: It was suggested that we want to have different policies for Fedora
> Desktop, Fedora Server, Fedora, etc spins.  Do we need two vendor directories? 
> So that the application package can drop a default policy into one vendor dir
> and the polkit-desktop-policy package can override those if necessary in the
> second vendor dir?  

To answer this part: No. Application defaults are contained in the action definitions in /usr/share/polkit-1/actions. And the idea is that these will be changed to be very restrictive. And then there will probably be a single policy package installed, depending on the purpose of the installation (a desktop policy or a server policy,...), and local- or site-wide tweaks to that installed policy can be done without conflicts by dropping additional .pkla files in the other directories in /var/lib/polkit-1/localauthority.d.

To prevent multiple policy packages being installed in parallel, we might make them conflict with each other,
Comment 12 Matthew Miller 2009-11-23 13:48:11 EST
> I have no interest in fighting FHS compliance wars here, thats really a waste
of time. 

I don't think there's any need to fight; let's just fix it. The situation is pretty clear cut, with a few details here and there.
Comment 13 seth vidal 2009-11-23 16:14:37 EST
it seems to me that pkgs which are also critical path should comply with all the pkging guidelines. FHS compliance is a requirement. This should probably be an F13Blocker.
Comment 14 Matthias Clasen 2009-11-23 16:28:37 EST
critical path is a useful concept. Please don't devalue it by using it for silly arguments.
Comment 15 Stijn Hoop 2009-11-24 04:47:38 EST
Whether or not it's a configuration file might be in the eye of the beholder. However the fact that I had to edit stuff in a file somewhere in /var/lib after Fedora 12 release to me was a clue that it should not belong there. No other packages have "configuration" or "policy" stuff there that is expected to be tweaked by the site- or machine-administrator (that I know of); at least this is the first package that I found out that needed it.

I do not really care whether the "do not edit" files are also below /etc but as an administrator, things that I'm expected to edit should be below /etc in my opinion, whether or not the FHS agrees.

Seth's suggestion in comment #7 would be perfect.
Comment 16 Matthew Miller 2009-11-24 09:57:39 EST
Made a patch; will post after testing. A couple of quick comments, though:

1) The config file in /etc which says "do not modify" is a different _type_ of file from the .pkla files. Only one key, AdminIdentities, is read from the single Configuration group. (This is where, for example, a group named "desktop_admin_r" can be configured to act like the traditional "wheel" group.) 

But although it shouldn't be modified, it can be overridden with a separate file. That seems okay, but the file comments should explain that for the sake of transparency.

2) Arguably, 10-vendor.d should go into /usr/share, but it seems like having entirely different places to look could lead to more confusion. Perhaps the best approach is to move everything to /etc/security/polkit-1 but make that particular directory a symlink into /usr/share/polkit-1. My patch / updated specfile doesn't actually mess with that, though.

3) Current patch leaves reading from /var/lib/polkit-1; that's part of what I need to test.

So, off to test. Update soon.
Comment 17 Matthew Miller 2009-11-24 10:45:35 EST
Created attachment 373472 [details]
Patch to use /etc/security/polkit-1 instead of /var/lib/polkit-1

Note that *something* has to get restarted for this to take effect, and I'm not sure exactly what. I ended up rebooting and that worked.
Comment 18 seth vidal 2009-11-24 10:52:50 EST
matthew, is it the inotify task watching for file changes in the /var/lib/polkit dir that maybe needs to move to watching /etc?
Comment 19 Matthew Miller 2009-11-24 10:54:57 EST
Created attachment 373474 [details]
specfile patch
Comment 20 Matthew Miller 2009-11-24 11:00:42 EST
re comment #18: yeah, possibly. not clear where that task is coming from, since there's no references to inotify in the source. And *having* rebooted, changes to files in the new location take effect instantly.
Comment 21 Matthew Miller 2009-11-24 11:29:55 EST
Annnnd I should also note that I have selinux turned off on my development box, and there's probably selinux policy that needs to be updated here.
Comment 22 Matthew Miller 2009-11-24 11:49:35 EST
Created attachment 373483 [details]
patch against current (as of Nov 13th) git

This is actually even simpler because of the removal of pklalockdown.

diffstat polkit-0.95-git-use_etc_for_pkla.patch
 configure.ac                                    |    2 +-
 docs/man/pklocalauthority.xml                   |    2 +-
 src/polkitbackend/Makefile.am                   |    6 +++---
 src/polkitbackend/polkitbackendlocalauthority.c |    9 +++++++--
 4 files changed, 12 insertions(+), 7 deletions(-)
Comment 23 Matthew Miller 2009-11-24 11:51:10 EST
Note that patch against git isn't actually tested, but I Can't See What Possibly Could Go Wrong™.
Comment 24 Matthew Miller 2009-11-24 11:56:04 EST
Another note: this would be more work, but it seems like putting the locations of the Local Authority directories in the localauthority.conf file would be architecturally the right thing to do, rather than hard-coding the directories (with their apparently "magical" priority numbers).

One step at a time, though -- my suggestion is to use the current change at this point, and then add that as a next phase.
Comment 25 Matthias Clasen 2009-11-24 12:52:10 EST
> rather than hard-coding the directories
> (with their apparently "magical" priority numbers).

The one place where we are using a time-honored Unix tradition of relying on lex ordering, and now you are complaining... :-)
Comment 26 Matthew Miller 2009-11-24 13:35:50 EST
Ha. :)

But actually, that's not the complaint. In fact, the opposite -- it's designed to _look_ like a "typical" directory where arbitrary subdirectories are read in lex order, but they're actually not. Specifically-named directories are hard-coded in a list (const gchar *store_locations[]) , and then those are stuffed into the authorization_stores list in order (and then the order is reversed). I don't think they're actually ever sorted, although it may be somewhere in the code I haven't looked.

But you can't actually create polkit-1/localauthority/42-whatever.d/ and have it work.

This is arguably bad, because it looks like a traditional pattern (for better or for worse!), but isn't actually. A reasonable user/sysadmin could easily be fooled. But it's also small potatoes -- and can easily be addressed by the suggestion of putting the list in localauthority.conf. (Or I guess by actually using readdir and doing the lex sort!)
Comment 27 Matthias Clasen 2009-11-24 16:10:12 EST
Ever tried to create /etc/rc42.d/ ? Did that do what you want ?
Comment 28 seth vidal 2009-11-24 16:16:16 EST
Matthias,
 Init dirs aren't sorted/run like that at all. Those directories don't get compiled into a single use.

However, if you look inside those directories you'll note that the numbers on the files there are sorted like that.

so that if you have:
S23Foo, S26Bar

You can boot S24Quux in there and it will run between Foo and Bar.

The suggestion from the polkit docs is that those dirs are sorted in order. So the expectation is that it's just using readdir.
Comment 29 Matthew Miller 2009-11-24 16:24:05 EST
What Seth said. It's a different pattern. But having said that, can we take that aspect of this offline or put it into another bug? I don't want the basic thing obscured: 1) let's follow the FHS for config files, and 2) hey, here's a patch that does just that!
Comment 30 David Zeuthen 2009-11-30 12:05:35 EST
This was dealt with (and rejected) upstream.
Comment 31 Tom "spot" Callaway 2009-11-30 12:12:07 EST
Wait, the upstream (which is you, right?) decided that violating the FHS was acceptable?

Reopening, because if so, it is not acceptable for Fedora, and we need to look into taking this patch for our own use.
Comment 32 David Zeuthen 2009-11-30 12:37:40 EST
(In reply to comment #31)
> Wait, the upstream (which is you, right?)

Yes.

> decided that violating the FHS was
> acceptable?

I've already explained upstream that this is not the case.
 
> Reopening, because if so, it is not acceptable for
> Fedora, and we need to look into taking this patch
> for our own use.  

No. Tom, I'd appreciate if you kept these two things in mind

 - you should know that this Bugzilla is not the right place
   to discuss upstream features. Take your complaints to upstream.

 - I'm closing. And please don't be childish and reopen it again.
   Thanks.
Comment 33 Matthew Miller 2009-11-30 12:46:51 EST
> I've already explained upstream that this is not the case.

I hope I'm not being unfair, but I think a reasonable paraphrase of the arguments you gave me are:

1) these configuration files aren't really configuration files, because they're too security-sensitive for users to mess with.

2) the intended scheme for manipulation of these files is by RPM, and therefore they should be hidden away somewhere so that no other scheme is used (puppet, cfengine, local changes)

and

3) If someone implements and configures a different polkit authority rather than the Local Authority, the local authority config files will be meaningless, and therefore they should be hidden so they don't confuse people.

Is that a fair representation?
Comment 34 Andrew McNabb 2009-11-30 13:10:32 EST
Since it's "childish" to reopen this bug report, could we make a more concerted effort to work with "upstream" on this?  I think that putting config files in /var is clearly wrong.  If Matt's characterization is correct ("they're
too security-sensitive for users to mess with", etc.), then I'm really confused.  How are the same people saying that sysadmins should just edit their config files (in last week's highly-publicized discussion on the PackageKit issue last week), but they should never edit those same config files (in this discussion).
Comment 35 David Zeuthen 2009-11-30 13:16:48 EST
(In reply to comment #34)
> Since it's "childish" to reopen this bug report, could we make a more concerted
> effort to work with "upstream" on this?  

Sounds great.. but if you want to work with upstream, why are you posting your thoughts here? The thread is here

http://lists.freedesktop.org/archives/polkit-devel/2009-November/000258.html

FWIW, I already posted a suggestion on how to deal with it upstream. It's kind of a cop-out from my side but hopefully it will let us all move on to more productive things than debating FHS "compliance" and "configuration data" vs. "application data"

 http://lists.freedesktop.org/archives/polkit-devel/2009-November/000270.html

Thanks,
David
Comment 36 Tom "spot" Callaway 2009-11-30 13:23:13 EST
I can't see how there is parity between telling people to edit the .pkli files to change the Policy for an application and saying that they are not configuration files.

Since this issue affects Fedora, and is not yet resolved in Fedora (which adheres to the FHS, regardless of your personal feelings about it), I'm reopening this bug. Feel free to work on the issue upstream, but we need to track its progress here.
Comment 37 David Zeuthen 2009-11-30 13:38:52 EST
(In reply to comment #36)
> I can't see how there is parity between telling people to edit the .pkli files
> to change the Policy for an application and saying that they are not
> configuration files.

I never told people to do that. And it wasn't the way the PackageKit mess was fixed. I guess that people are so used to thinking everything is a config file that they forgot there's a thing called "application data".

> Since this issue affects Fedora, and is not yet resolved in Fedora (which
> adheres to the FHS, regardless of your personal feelings about it), I'm
> reopening this bug. Feel free to work on the issue upstream, but we need to
> track its progress here.

No, the FHS is still not being violated. As I already said, Tom, we will add functionality upstream so _your_ view on the FHS and polkit won't be violated. And, Tom, if you want to track this enhancement you need to open a new bug or rename this one. Instead of closing this bug and making you open a new one I'm going to go ahead and just rename it for you.

(And, Tom, in the future please don't be a dick and drag phrases like "personal feelings" into this. It's slightly offensive and not very professional. Thanks.)
Comment 40 Matthew Miller 2009-11-30 14:07:56 EST
Upstream bug filed at https://bugs.freedesktop.org/show_bug.cgi?id=25367, and
David has tentatively agreed to support reading from /etc.

So I think we're all good with no further discussion really needed here.

I think this particular bug is still useful though, for the specfile patch. I'm
going to go ahead and rename the issue again to reflect that.

The current state is: patch is upstream waiting review. Once that's in, we'll
want to update the Fedora package to match, using the proposed changes in
attachment #373474 [details].
Comment 41 Laurent Rineau 2010-01-10 10:13:10 EST
According to https://bugs.freedesktop.org/show_bug.cgi?id=25367 the bug has been fixed upstream with the following git commit:
  http://cgit.freedesktop.org/PolicyKit/commit/?id=8e0b9b47d1fc1a4ab6020770e4b3084ddd45b71d
Comment 42 Matthew Miller 2010-01-10 13:36:52 EST
Yes. Now just needs the matching specfile changes.
Comment 43 Matthias Clasen 2010-02-15 16:40:03 EST
The changes to also read from /etc are in polkit 0.96 which will be in F13.
Comment 44 Matthew Miller 2010-02-15 18:19:19 EST
Thank you and David both very much.