On Wednesday 10 October 2001 05:31 am, George Staikos wrote:
>    Well this has gone on long enough I think.....   We have many features
> in klaptopdaemon which just can't be used because they require root access.
> However, on a laptop, I think the user is generally supposed to be able to
> do these things (suspend, manage pcmcia cards, etc).  Does anyone have a
> good suggestion as to how we can get this working right without
> compromising security and using ugly hacks?
>
>    My best solution is to use sudo, but this is not a clean solution for
> most users, and currently klaptopdaemon doesn't have code to load itself
> with sudo.


Well as it's author I went around and around on this issue - basicly what you 
need depends on the environment you're running (and on how the authors of the 
various kernel power management systems considered how security should work):

	- BSD utilities don't require root privilege to work
	- Linux ACPI doesn't either (support is in KDE 3.0 - but
		Linux ACPI is rudimentary at the moment so we don't
		support much yet)
	- Linux IBM hibernate doesn't need to be root
	- Linux APM requires you to be root to do suspend/standby only
	
Unlike controll panel apps that can ask you for a passwd in order to do root 
sort of stuff the laptop stuff often needs to do 'root things' like suspend 
due to low batteries while the user is not present, and not able to type in a 
password. My solution to this has been to have the Linux-APM layer prompt the 
user with how to setuid-root on the APM suspend utility - this way the user 
gets to give non-root users just the ability to do suspends without 
compromising system security in other ways - and without KDE components 
storing passwords or running setuid themselves - personally I think this is 
the right way to do it.

Managing of PCMCIA cards etc is a different issue - and actually probably 
doesn't belong in the laptop daemon (it's really a battery/power management 
utility) - I originally put in a simple control panel showing the pcmcia 
state - really they ought to be in their own app and in order to do 
privileged stuff (like ejecting cards etc) they ought to do the same sort of 
thing that panels like Date&Time use to get to root

	Paul Campbell
	paul@taniwha.com
 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<