Colors of Noise

agx@sigxcpu.org

Entries tagged "admin".

Handling privileges with PolicyKit
21st August 2010

I got tired of having to authenticate as root to change printer settings like paper size or printout mode via a GUI. Since system-config-printer uses PolicyKit things like allow myself to change printer settings when logged into the system should be possible without having to mess with cupsd.conf or sudo, are they?

Which printer related actions are governed by PolicyKit:

pkaction | grep printer

shows about the following if you have cups-pk-helper installed. The later is used by system-config-printer to interface with PolicyKit:

org.opensuse.cupspkhelper.mechanism.printer-enable
org.opensuse.cupspkhelper.mechanism.printer-local-edit
org.opensuse.cupspkhelper.mechanism.printer-remote-edit
org.opensuse.cupspkhelper.mechanism.printer-set-default
org.opensuse.cupspkhelper.mechanism.printeraddremove

So org.opensuse.cupspkhelper.mechanism.printer-local-edit seems to be what I'm looking for. Let's change the policy for this action:

cat <<EOF >/etc/polkit-1/localauthority/50-local.d/99-local.pkla 
[EditPrinters]
Identity=unix-user:foo
Action=org.opensuse.cupspkhelper.mechanism.printer-local-edit
ResultAny=no
ResultInactive=no
ResultActive=yes
EOF

This allows user foo to perform the action org.opensuse.cupspkhelper.mechanism.printer-local-edit if the user is logged into a local interactive session. The pklocalauthority(8) manpage has all the details. PolicyKit will pick up the configuration file changes on the fly. Lets see if this worked by getting the process id of the running system-config-printer and checking via pkcheck if the process is authorized to use that action:

PID=$(ps a | awk '/[p]ython .*system-config-printer/ { print $1 }')
pkcheck --action-id org.opensuse.cupspkhelper.mechanism.printer-local-edit --process $PID
echo $?

If pkcheck returns with a zero return value everything is fine and user foo won't need any password to modify local printer settings from now on.

Check the output of pkaction(1) to list more actions that can be setup this way.

Flattr this

Tags: admin, debian.

RSS Feed