Sudo and its alternatives

Sudo and its alternatives

Posted Feb 22, 2024 14:44 UTC (Thu) by farnz (subscriber, #17727)
In reply to: Sudo and its alternatives by sionescu
Parent article: Sudo and its alternatives

If it disallows the loading of external code, then you have a serious problem - how exactly am I supposed to configure a system that uses code to configure it, if the system won't load my code?

If it allows loading of external code, I can bundle the external library with my code, and the system can't tell that the external library was downloaded from the Internet rather than written by me.

And the whole reason you have a configuration language for Polkit is that there's lots of different configurations that might make sense; if I have to learn PolKitScript to configure it, then I'm stuck being "the Polkit person"; if it's JavaScript, I can tell someone outside my team to write me the JavaScript for the policy that we want to implement, and simply review it, rather than having to write it as well.

---

to post comments

Sudo and its alternatives

Posted Feb 22, 2024 15:00 UTC (Thu) by sionescu (subscriber, #59410) [Link] (1 responses)

> If it disallows the loading of external code, then you have a serious problem - how exactly am I supposed to configure a system that uses code to configure it, if the system won't load my code?
> If it allows loading of external code, I can bundle the external library with my code, and the system can't tell that the external library was downloaded from the Internet rather than written by me.

I invite you to take a look at the docs: https://www.freedesktop.org/software/polkit/docs/latest/p...

The execution environment exposes a few objects which allow defining some very limited hooks. There doesn't seem to be any support for require(), nor I/O, perhaps not even named functions. That makes it practically impossible to use third party libraries except by doing copy-and-paste of non-I/O functionality (perhaps string manipulation, etc...).

Sudo and its alternatives

Posted Feb 22, 2024 15:25 UTC (Thu) by farnz (subscriber, #17727) [Link]

The ability to copy-and-paste non-I/O functionality is, however, extremely useful; I can (to choose an example) include a "JSON database" in my rules, automatically generated from a source in an interesting fashion, and with fast programmatic queries relying on indexes that come as JavaScript code. Indeed, I may even have the code to generate this already for use in (e.g.) a web front end, and I just have to tell it that I want a bigger database than it normally sends.

On top of that, I have syntax highlighters, lint tools, transpilers targeting JS (e.g. I could write the rules in TypeScript and transpile) and much more available to me, none of which would exist if I used PolKitScript instead.