diff options
author | Ondrej Holy <oholy@redhat.com> | 2021-05-12 10:19:56 +0200 |
---|---|---|
committer | Ondrej Holy <oholy@redhat.com> | 2021-06-07 07:28:17 +0000 |
commit | 141eee12c5c6c37e098cef2f1a80d1df58168d5b (patch) | |
tree | 1dc3fdeedb85fad3fc12b85255c5bf7db6c06526 | |
parent | dede4bbda08a02c47b917c03eaf59e994b15edbb (diff) | |
download | gvfs-141eee12c5c6c37e098cef2f1a80d1df58168d5b.tar.gz |
admin: Make the privileged group configurable
Currently, `wheel` group is hardcoded in the `.rules` file which is there
to prevent redundant password prompt when starting gvfsd-admin. The Debian
based systems obviously uses `sudo` group instead of `wheel`. Let's make
the privileged group configurable.
https://gitlab.gnome.org/GNOME/gvfs/-/issues/565
-rw-r--r-- | daemon/meson.build | 11 | ||||
-rw-r--r-- | daemon/org.gtk.vfs.file-operations.rules.in (renamed from daemon/org.gtk.vfs.file-operations.rules) | 4 | ||||
-rw-r--r-- | meson.build | 4 | ||||
-rw-r--r-- | meson_options.txt | 1 |
4 files changed, 15 insertions, 5 deletions
diff --git a/daemon/meson.build b/daemon/meson.build index dffeef3e..c89ef407 100644 --- a/daemon/meson.build +++ b/daemon/meson.build @@ -374,8 +374,15 @@ if enable_admin install_dir: gvfs_datadir / 'polkit-1/actions', ) - install_data( - gvfs_namespace + '.file-operations.rules', + rules = gvfs_namespace + '.file-operations.rules' + + rules_conf = configuration_data() + rules_conf.set('PRIVILEGED_GROUP', privileged_group) + + configure_file( + input: rules + '.in', + output: rules, + configuration: rules_conf, install_dir: gvfs_datadir / 'polkit-1/rules.d', ) endif diff --git a/daemon/org.gtk.vfs.file-operations.rules b/daemon/org.gtk.vfs.file-operations.rules.in index fb137327..a3a2f643 100644 --- a/daemon/org.gtk.vfs.file-operations.rules +++ b/daemon/org.gtk.vfs.file-operations.rules.in @@ -1,4 +1,4 @@ -// Allows users belonging to wheel group to start gvfsd-admin without +// Allows users belonging to privileged group to start gvfsd-admin without // authorization. This prevents redundant password prompt when starting // gvfsd-admin. The gvfsd-admin causes another password prompt to be shown // for each client process using the different action id and for the subject @@ -7,7 +7,7 @@ polkit.addRule(function(action, subject) { if ((action.id == "org.gtk.vfs.file-operations-helper") && subject.local && subject.active && - subject.isInGroup ("wheel")) { + subject.isInGroup ("@PRIVILEGED_GROUP@")) { return polkit.Result.YES; } }); diff --git a/meson.build b/meson.build index b881ebe3..4e5e021b 100644 --- a/meson.build +++ b/meson.build @@ -299,6 +299,7 @@ endif config_h.set('HAVE_GCR', enable_gcr) # *** Check if we should build with admin backend *** +privileged_group = get_option('privileged_group') enable_admin = get_option('admin') if enable_admin libcap_dep = dependency('libcap') @@ -493,7 +494,8 @@ meson.add_install_script( summary({ 'systemduserunitdir': systemd_systemduserunitdir, 'tmpfilesdir': systemd_tmpfilesdir, -}, section: 'Directories') + 'privileged_group': privileged_group, +}, section: 'Configuration') summary({ 'admin': enable_admin, diff --git a/meson_options.txt b/meson_options.txt index 32f10d42..5059161b 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -1,5 +1,6 @@ option('systemduserunitdir', type: 'string', value: '', description: 'custom directory for systemd user units, or \'no\' to disable') option('tmpfilesdir', type: 'string', value: '', description: 'custom directory for tmpfiles.d config files, or \'no\' to disable') +option('privileged_group', type: 'string', value: 'wheel', description: 'custom name for group that has elevated permissions') option('admin', type: 'boolean', value: true, description: 'build with admin backend') option('afc', type: 'boolean', value: true, description: 'build with afc backend and volume monitor') |