Roles and Policy
davidz at redhat.com
Thu Aug 13 18:28:51 UTC 2009
I've just added a new subpackage in the polkit SRPM called
polkit-desktop-policy. This package will add two new system groups (the
trailing _r signifies these are really roles, not ordinary groups)
The patch is here
It works like this
1. If the desktop_admin_r group is non-empty, then users in the group
are used for administrator authentication - see the polkit(8) man
page for details:
If the desktop_admin_r group is empty, we just ask for the root
For example, the following is a screenshot where the users davidz
and bateman are in the desktop_admin_r group:
2. Second, if you are member of the desktop_admin_r group, then you
should be allowed to do a lot of things without being interrupted
by authentication dialogs. This part isn't complete, for now, it
org.gnome.clockapplet.mechanism.* - set timezone and system time
org.freedesktop.devicekit.disks.* - all storage related things
org.freedesktop.RealtimeKit1.* - run real-time processes
but we probably want to allow installing trusted packages, install
trusted updates and remove packages. Without asking for a password.
Probably more - Richard?
3. Third, if you are a member of the desktop_user_r group then you
should be allowed to do a number of things - not as much as the
desktop_admin_r role, but things like setting the time zone. For
now, we only include
A couple of notes
- As we add/remove mechanisms (e.g. privileged apps using polkit), we
need to update this package. That's fine.
- For this to be really useful, we need the User Account Editor that
Matthias wrote about here
Sadly no work has been done on this yet. Anyway, the main point is
that we can add something like this
(*) Standard User
( ) Administrative User
to this tool. We can also add more roles, e.g. "Restricted User" and
also tailor policy for the mythical guest account.
- This is opt-in. If you don't want to use this, just don't add any
users to the desktop_admin_r or desktop_user_r groups. Heck, just
uninstall the package. Second, other third-party packages can
easily override this thanks to how the polkit local authority works
(see the pklocalauthority(8) man page for details).
- This should put an end to the (IMO misguided) request "please add
first user to the 'wheel' group". The new 'wheel' is
'desktop_admin_r' and the new sudo(1) is pkexec(1).
(Of course sudo(1) will still continue to work but it is not what we
officially want to support. PolicyKit is, however)
- With support in the OS installer for automatically adding the first
user to desktop_admin_r, we should be close to actually doing
installs without the concept of a root password...
Of course this is not 100% useful until a) the OS installer knows about
this; and b) we have an User Account Editor. But it is 90% there.
Finally, Matthias, can someone please add polkit-desktop-policy to the
default desktop install? Thanks.
More information about the Fedora-desktop-list