From: Lennart Poettering Date: Tue, 3 Mar 2026 17:22:29 +0000 (+0100) Subject: machined: add comment explaining access to machine objects a bit X-Git-Tag: v260-rc2~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ec718b44a11f19aaec28349ac7490042d76379ab;p=thirdparty%2Fsystemd.git machined: add comment explaining access to machine objects a bit --- diff --git a/src/machine/machine.h b/src/machine/machine.h index d02bb9a965e..7941eb365c1 100644 --- a/src/machine/machine.h +++ b/src/machine/machine.h @@ -34,6 +34,17 @@ typedef enum KillWhom { } KillWhom; typedef struct Machine { + /* Note: machine objects registered with the --system instance can be allocated by privileged *and* + * unprivileged clients. We generally do this to make DNS-style name resolution work, and since + * that's a system-wide concept, the machine registrations need to be system-wide too. + * + * polkit manages access to machines registered by unprivileged clients. The general rule should be + * that local users (i.e. those with a seat) may register machines, and do basic interaction with + * their own machines without having to authenticate as administrator – however any more complex + * (such as: copying files in + out of a container; or logging in interactively) should only be + * available after administrator authentication, following the logic that users better use their own + * per-user instance of systemd-machined for that. */ + Manager *manager; char *name;