Roles and Policy

David Zeuthen davidz at redhat.com
Thu Aug 13 20:20:35 UTC 2009 

On Thu, 2009-08-13 at 15:41 -0400, Colin Walters wrote:
> Are these defined by upstream PolicyKit?  In other words, are these
> group names expected to be the same across OS vendors?  Or just the
> concept of the two groups, and their names can vary?

Not yet. We might want a polkit-policy tarballs that define these roles
(and possibly others) and the associated policy. I fwd'ed the original
mail to polkit-devel-list for other distros to consider this.

> >    but we probably want to allow installing trusted packages, install
> >    trusted updates and remove packages. Without asking for a password.
> >    Probably more - Richard?
> 
> Hmmm.  I very, VERY strongly think that installing OS updates should
> require no password by default in the unmanged case, and *especially*
> not a different "root" password.  System time is probably in that area
> as well.  If "make sound work without pops" requires the real-time
> process permission, then we definitely need that too.

Right, so granting the authorization to install OS updates w/o a
password for desktop_user_r and desktop_admin_r is what we want. 

> So it sounds like your desktop_admin_r is equivalent to the unmanaged
> case?  And desktop_user_r is roughly...what?  Computer lab?  But
> admins there aren't going to want people to be able to change the
> time.

The idea is that desktop_admin_r is for the owner(s) of the system - for
example, the owner of a single-user laptop. The idea is that
desktop_user_r is a non-owner or otherwise less privileged/trusted - for
example, your kids on the shared computer system at home.

That's the _idea_ anyway. We might want to change this if we want to.

> >  - This should put an end to the (IMO misguided) request "please add
> >   first user to the 'wheel' group". The new 'wheel' is
> >   'desktop_admin_r' and the new sudo(1) is pkexec(1).
> 
> See, this is what I don't like, is that "admin" here really means
> "execute arbitrary code as root" which I suggest we don't want to
> conflate with "install OS updates" and "make sound work without
> popping".

Right, so we just give this authorization only to desktop_admin_r. E.g.
allow standard users to install trusted OS updates. Ditto for the rtkit
stuff.

(And, btw, you _do need_ to enter the password for an admin user for
'pkexec bash' to work. Even if you are in desktop_admin_r. Ditto for
installing untrusted/unsigned packages. And this is fine I think.)

> >  - With support in the OS installer for automatically adding the first
> >   user to desktop_admin_r, we should be close to actually doing
> >   installs without the concept of a root password...
> 
> The most important thing is to remove the root password from the
> default UI flows,  But for example, the first time you typed "pkexec
> vi /etc/resolv.conf" (i.e. do something arbitrary as uid 0) when
> you're debugging some network problem, it'd be cool if that prompted
> you for a root password.  In fact, if one wasn't set yet, offered to
> let you set it.  Then we could axe the root password from the livecd
> installer prompt, and it becomes on-demand.

I think we want to completely disable the root account just like in OS X
and Ubuntu. In my view, it just doesn't make sense to have a root
password at all - shared secrets are really bad. One less password to
worry about is really what you want.

     David

More information about the Fedora-desktop-list mailing list