Comments (6)
Also a side note, in the future this can double as a utility program for some extra hackery, which I'd love to see. Being able to run this as normal user instead of sudo aa-logprof
is another plus.
Like, imagine how cool you must feel when you type aa-caller logs
instead of clicking around the Logs tab like a scrub.
from appanvil.
It certainly should not be asking you for authentication every time it refreshes. That sounds super annoying! This is something we originally fixed early on in the project when we implemented our custom pkexec policy.
Looking at the code for that, I can see a potential issue:
https://github.com/jack-ullery/AppAnvil/blob/24881f3f2b03b93aac02446a739e137bf005cc76/resources/pkexec.policy.in#L13C1-L13C104
The pkexec policy only activates for the installed version of AppAnvil (at /usr/bin/appanvil
), not the local development build. Furthermore, this policy itself needs to be installed (with sudo make install
)
A future change could change the value in the policy to point to both the develop build (only during development) and the installed appanvil (at /usr/bin
)
Or, maybe pkexec policy not work the same on your version of Arch (here's the wiki).
from appanvil.
Also a side note, in the future this can double as a utility program for some extra hackery, which I'd love to see. Being able to run this as normal user instead of
sudo aa-logprof
is another plus.Like, imagine how cool you must feel when you type
aa-caller logs
instead of clicking around the Logs tab like a scrub.
After running sudo make install
, you should be able to run pkexec aa-caller -l
(which honestly should probably be renamed to aa-caller logs
).
from appanvil.
It certainly should not be asking you for authentication every time it refreshes. That sounds super annoying! This is something we originally fixed early on in the project when we implemented our custom pkexec policy.
Looking at the code for that, I can see a potential issue: https://github.com/jack-ullery/AppAnvil/blob/24881f3f2b03b93aac02446a739e137bf005cc76/resources/pkexec.policy.in#L13C1-L13C104
The pkexec policy only activates for the installed version of AppAnvil (at
/usr/bin/appanvil
), not the local development build. Furthermore, this policy itself needs to be installed (withsudo make install
)A future change could change the value in the policy to point to both the develop build (only during development) and the installed appanvil (at
/usr/bin
)Or, maybe pkexec policy not work the same on your version of Arch (here's the wiki).
I think you're spot on about pkexec being the root issue. However I see two problems with the current approach: 1. auth_admin_keep
only grants you 5 min of elevated privileges, combine that with the regular refreshing is why it keeps popping up (not an Arch issue btw), and I've yet to find a configuration that can grant privilege once and keep it forever (which would be very unsafe?) 2. I see code for reading from auditd
logs but no logs were read unless I run appanvil as superuser with sudo -E appanvil
, so something must be wrong here.
from appanvil.
Reacting to your previous comment
However, in Arch Linux those logs go to
systemd
, and they are not stored in plaintext format unless you enable the auditing framework, in which case the logs are stored in/var/log/audit/audit.log
, only accessible to the root user. So for maximum compatibility the log reading code should ideally be run by root user and separate from the graphical interface.
This is an separate issue (which is also important). We actually used to read the logs from systemd using journalctl
, but I stopped for whatever reason (can't remember why - maybe some conflict with auditd).
We have some implementation to read and parse auditd logs, which is currently being done as the root user separate from the GUI (that's the point of aa-caller). One potential issue could come from the fact that we currently are reading a few logs from the GUI as a non-root user: /var/log/kern.log
, /var/log/dmesg
, /var/log/syslog
.
Now for your new comment:
I think you're spot on about pkexec being the root issue. However I see two problems with the current approach: 1.
auth_admin_keep
only grants you 5 min of elevated privileges, combine that with the regular refreshing is why it keeps popping up (not an Arch issue btw), and I've yet to find a configuration that can grant privilege once and keep it forever (which would be very unsafe?)
I think our original idea was to try and approximate the behavior of sudo (which I see now stores credentials for 15 minutes). We can make this longer or even indefinite, which I don't see much of a problem with because this utility is only used for reading logs and other similar data (but greater minds may differ on the impact)
- I see code for reading from
auditd
logs but no logs were read unless I run appanvil as superuser withsudo -E appanvil
, so something must be wrong here.
I think your right and something got messed up with this somewhere, because it's not working for me either. This is definitely worth exploring, even if we go back to the journalctl implementation.
from appanvil.
I see now that the auth_admin_keep
is hardcoded to 5 minutes (unless on OpenSUSE). There might be another approach with polkit authorization rules, but I think the log issue is higher priority for me right now.
from appanvil.
Related Issues (19)
- Status.filter has unexpected behavior HOT 1
- DispatcherMiddleman has a data race HOT 1
- Improve automatic formatting HOT 2
- Long load times for logs HOT 2
- Cross-distribution testing with GitHub Actions HOT 1
- Fix incorrectly parsed logs HOT 1
- Fails to build HOT 2
- Fix 'Load Profile' page HOT 2
- Finish progress on 'Modify Profile' HOT 1
- Improve timestamps HOT 2
- Allow addition/deletion of Profile rules HOT 2
- Seperate allow and deny rules HOT 1
- Add help information for "Profile Modify" HOT 1
- Create .desktop file HOT 2
- Don't spam the user with pkexec requests
- It wasn't built on ArchLinux HOT 7
- Fix issues reading auditd logs
- Can't build. Please help HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from appanvil.