There is a thorny topic we have been discussing in nonpublic channels (say, the debian-private mailing list... It is impossible to call it a private list if it has close to a thousand subscribers, but it sometimes deals with sensitive material) for the last week. We have finally confirmation that we can bring this topic out to the open, and I expect several Debian people to talk about this. Besides, this information is now repeated all over the public Internet, so I'm not revealing anything sensitive. Oh, and there is a statement regarding Dmitry Bogatov published by the Tor project But I'll get to Tor soon. One week ago, the 25-year old mathematician and Debian Maintainer Dmitry Bogatov was arrested, accused of organizing riots and calling for terrorist activities. Every evidence so far points to the fact that Dmitry is not guilty of what he is charged of He was filmed at different places at the times where the calls for terrorism happened. It seems that Dmitry was arrested because he runs a Tor exit node. I don't know the current situation in Russia, nor his political leanings But I do know what a Tor exit node looks like. I even had one at home for a short while. What is Tor? It is a network overlay, meant for people to hide where they come from or who they are. Why? There are many reasons Uninformed people will talk about the evil wrongdoers (starting the list of course with the drug sellers or child porn distributors). People who have taken their time to understand what this is about will rather talk about people for whom free speech is not a given; journalists, political activists, whistleblowers. And also, about regular people Many among us have taken the habit of doing some of our Web surfing using Tor (probably via the very fine and interesting TAILS distribution The Amnesiac Incognito Live System), just to increase the entropy, and just because we can, because we want to preserve the freedom to be anonymous before it's taken away from us. There are many types of nodes in Tor; most of them are just regular users or bridges that forward traffic, helping Tor's anonymization. Exit nodes, where packets leave the Tor network and enter the regular Internet, are much scarcer Partly because they can be quite problematic to people hosting them. But, yes, Tor needs more exit nodes, not just for bandwidth sake, but because the more exit nodes there are, the harder it is for a hostile third party to monitor a sizable number of them for activity (and break the anonymization). I am coincidentially starting a project with a group of students of my Faculty (we want to breathe life again into LIDSOL - Laboratorio de Investigaci n y Desarrollo de Software Libre). As we are just starting, they are documenting some technical and social aspects of the need for privacy and how Tor works; I expect them to publish their findings in El Nigromante soon (which means... what? ), but definitively, part of what we want to do is to set up a Tor exit node at the university Well documented and with enough academic justification to avoid our network operation area ordering us to shut it down. Lets see what happens :) Anyway, all in all Dmitry is in for a heavy time. He has been detained pre-trial at least until June, and he faces quite serious charges. He has done a lot of good, specialized work for the whole world to benefit. So, given I cannot do more, I'm just speaking my mind here in this space. [Update] Dmitry's case has been covered in LWN. There is also a statement concerning the arrest of Dmitry Bogatov by the Debian project. This case is also covered at The Register.
shows about the following if you have cups-pk-helper installed. The later is used by system-config-printer to interface with PolicyKit:
pkaction grep printer
So org.opensuse.cupspkhelper.mechanism.printer-local-edit seems to be what I'm looking for. Let's change the policy for this action:
org.opensuse.cupspkhelper.mechanism.printer-enable org.opensuse.cupspkhelper.mechanism.printer-local-edit org.opensuse.cupspkhelper.mechanism.printer-remote-edit org.opensuse.cupspkhelper.mechanism.printer-set-default org.opensuse.cupspkhelper.mechanism.printeraddremove
This allows user foo to perform the action org.opensuse.cupspkhelper.mechanism.printer-local-edit if the user is logged into a local interactive session. The pklocalauthority(8) manpage has all the details. PolicyKit will pick up the configuration file changes on the fly. Lets see if this worked by getting the process id of the running system-config-printer and checking via pkcheck if the process is authorized to use that action:
cat <<EOF >/etc/polkit-1/localauthority/50-local.d/99-local.pkla [EditPrinters] Identity=unix-user:foo Action=org.opensuse.cupspkhelper.mechanism.printer-local-edit ResultAny=no ResultInactive=no ResultActive=yes EOF
If pkcheck returns with a zero return value everything is fine and user foo won't need any password to modify local printer settings from now on. Check the output of pkaction(1) to list more actions that can be setup this way.
PID=$(ps a awk '/[p]ython .*system-config-printer/ print $1 ') pkcheck --action-id org.opensuse.cupspkhelper.mechanism.printer-local-edit --process $PID echo $?