Open anudeepthika opened 2 years ago
Hi @anudeepthika, there is no way to use usbguard-dbus safely without talking to Polkit so enabling D-Bus support "rightfully" pulls in that dependency now. Regarding --with-polkit
, it is documented as…
# ./configure --help | fgrep -- --with-polkit
--with-polkit Install the PolicyKit configuration if D-Bus support
…which seems correct, while name --with-polkit
may indeed be a bit misleading now.
What do you think?
PS @anudeepthika maybe I should be more explicit that I'd be happy to understand your concern and situation better, and then discuss options for improval. In particular: Is a dependency on Polkit a problem in your environment?
Hi @hartwork,
Thank you for your response. Sorry for my delay in replying back. I was analyzing the polkit impact on our environment.
In an Embedded System, different constraints with regards to policy enforcement would be implemented, and having polkit in our environment is throwing conflicts.
Could you please provide "--without-polkit" option so that polkit can be disabled depending on the use case and still remain enabled by default?
@anudeepthika that helps, but I still have questions, to be sure I understand the full picture and our options:
--with-dbus
and USBGuard DBus functionality enabled in that environment?Hi @hartwork,
There is no polkit daemon running in our environment and enabling it, is making a huge impact. I request --with-dbus
, USBGuard DBus functionality enabled without polkit
Hi @anudeepthika ,
I guess then maybe the best way forward would be to introduce a new configure option --with(out)-dbus-security
that defaults to enabled and have that control a C++ preprocessor macro that makes DBusBridge::isAuthorizedByPolkit
always return true
and print a warning when disabled, and do it's regular current job when enabled.
Best, Sebastian
PS: The idea with --without-dbus-security
naming is that making that^^ part of --without-polkit
would do nothing to warn the user that operation with D-Bus but without talking to Polkit is not something secure for e.g. a regular desktop environment. I consider that essential.
There is no polkit daemon running in our environment and enabling it, is making a huge impact.
@anudeepthika could you elaborate what kind of impact enabling the daemon would have?
Why do you need the dbus so bad? If you don't want polkit on your system you can just stay with usbguard CLI and IPC perms.
Configuring usbguard without polkit is failing with the below error.
configure: error: Required D-Bus modules (dbus-1, gio-2.0) not found!
The above error is encountered due to the commit 2c8c1ae10a6330736bf2a2d7d8682674b1db47dc. Can someone help me with a solution to skip this error while configuring without polkit?