Roles and Policy

Thu Aug 13 18:28:51 UTC 2009

Hey,

I've just added a new subpackage in the polkit SRPM called
polkit-desktop-policy. This package will add two new system groups (the
trailing _r signifies these are really roles, not ordinary groups)

 - desktop_admin_r
 - desktop_user_r

The patch is here

http://cvs.fedoraproject.org/viewvc/devel/polkit/polkit.spec?r1=1.8&r2=1.9

It works like this

 1. If the desktop_admin_r group is non-empty, then users in the group
    are used for administrator authentication - see the polkit(8) man
    page for details:

     http://hal.freedesktop.org/docs/polkit/polkit.8.html

    If the desktop_admin_r group is empty, we just ask for the root
    password instead.

    For example, the following is a screenshot where the users davidz
    and bateman are in the desktop_admin_r group:

    http://people.freedesktop.org/~david/pkexec-with-desktop-admin-r.png

 2. Second, if you are member of the desktop_admin_r group, then you
    should be allowed to do a lot of things without being interrupted
    by authentication dialogs. This part isn't complete, for now, it
    includes

      org.gnome.clockapplet.mechanism.* - set timezone and system time
      org.freedesktop.devicekit.disks.* - all storage related things
      org.freedesktop.RealtimeKit1.*    - run real-time processes 

    but we probably want to allow installing trusted packages, install
    trusted updates and remove packages. Without asking for a password.
    Probably more - Richard?

 3. Third, if you are a member of the desktop_user_r group then you
    should be allowed to do a number of things - not as much as the
    desktop_admin_r role, but things like setting the time zone. For
    now, we only include

     org.gnome.clockapplet.mechanism.settimezone

A couple of notes

 - As we add/remove mechanisms (e.g. privileged apps using polkit), we
   need to update this package. That's fine.

 - For this to be really useful, we need the User Account Editor that
   Matthias wrote about here

https://www.redhat.com/archives/fedora-desktop-list/2008-May/msg00006.html

   Sadly no work has been done on this yet. Anyway, the main point is
   that we can add something like this

     Account Type

          (*) Standard User
          ( ) Administrative User

   to this tool. We can also add more roles, e.g. "Restricted User" and
   also tailor policy for the mythical guest account.

 - This is opt-in. If you don't want to use this, just don't add any
   users to the desktop_admin_r or desktop_user_r groups. Heck, just
   uninstall the package. Second, other third-party packages can
   easily override this thanks to how the polkit local authority works
   (see the pklocalauthority(8) man page for details).

 - This should put an end to the (IMO misguided) request "please add
   first user to the 'wheel' group". The new 'wheel' is
   'desktop_admin_r' and the new sudo(1) is pkexec(1).
   (Of course sudo(1) will still continue to work but it is not what we
   officially want to support. PolicyKit is, however)

 - With support in the OS installer for automatically adding the first
   user to desktop_admin_r, we should be close to actually doing
   installs without the concept of a root password...

Of course this is not 100% useful until a) the OS installer knows about
this; and b) we have an User Account Editor. But it is 90% there.

Finally, Matthias, can someone please add polkit-desktop-policy to the
default desktop install? Thanks.

     David