Roles and Policy

David Zeuthen davidz at
Thu Aug 13 18:28:51 UTC 2009


I've just added a new subpackage in the polkit SRPM called
polkit-desktop-policy. This package will add two new system groups (the
trailing _r signifies these are really roles, not ordinary groups)

 - desktop_admin_r
 - desktop_user_r

The patch is here

It works like this

 1. If the desktop_admin_r group is non-empty, then users in the group
    are used for administrator authentication - see the polkit(8) man
    page for details:

    If the desktop_admin_r group is empty, we just ask for the root
    password instead.

    For example, the following is a screenshot where the users davidz
    and bateman are in the desktop_admin_r group:

 2. Second, if you are member of the desktop_admin_r group, then you
    should be allowed to do a lot of things without being interrupted
    by authentication dialogs. This part isn't complete, for now, it

      org.gnome.clockapplet.mechanism.* - set timezone and system time
      org.freedesktop.devicekit.disks.* - all storage related things
      org.freedesktop.RealtimeKit1.*    - run real-time processes 

    but we probably want to allow installing trusted packages, install
    trusted updates and remove packages. Without asking for a password.
    Probably more - Richard?

 3. Third, if you are a member of the desktop_user_r group then you
    should be allowed to do a number of things - not as much as the
    desktop_admin_r role, but things like setting the time zone. For
    now, we only include


A couple of notes

 - As we add/remove mechanisms (e.g. privileged apps using polkit), we
   need to update this package. That's fine.

 - For this to be really useful, we need the User Account Editor that
   Matthias wrote about here

   Sadly no work has been done on this yet. Anyway, the main point is
   that we can add something like this

     Account Type

          (*) Standard User
          ( ) Administrative User

   to this tool. We can also add more roles, e.g. "Restricted User" and
   also tailor policy for the mythical guest account.

 - This is opt-in. If you don't want to use this, just don't add any
   users to the desktop_admin_r or desktop_user_r groups. Heck, just
   uninstall the package. Second, other third-party packages can
   easily override this thanks to how the polkit local authority works
   (see the pklocalauthority(8) man page for details).

 - This should put an end to the (IMO misguided) request "please add
   first user to the 'wheel' group". The new 'wheel' is
   'desktop_admin_r' and the new sudo(1) is pkexec(1).
   (Of course sudo(1) will still continue to work but it is not what we
   officially want to support. PolicyKit is, however)

 - With support in the OS installer for automatically adding the first
   user to desktop_admin_r, we should be close to actually doing
   installs without the concept of a root password...

Of course this is not 100% useful until a) the OS installer knows about
this; and b) we have an User Account Editor. But it is 90% there.

Finally, Matthias, can someone please add polkit-desktop-policy to the
default desktop install? Thanks.




More information about the Fedora-desktop-list mailing list