Roles and Policy

[David Zeuthen]

On Mon, 2009-08-17 at 17:21 +0100, Richard Hughes wrote:
> 2009/8/13 David Zeuthen <davidz at redhat.com>:
> >  1. If the desktop_admin_r group is non-empty, then users in the group
> >    are used for administrator authentication - see the polkit(8) man
> >    page for details:
> >    http://people.freedesktop.org/~david/pkexec-with-desktop-admin-r.png
> 
> Looks groovy.
> 
> >    but we probably want to allow installing trusted packages, install
> >    trusted updates and remove packages. Without asking for a password.
> >    Probably more - Richard?
> 
> The policy definitions are listed here,
> http://cgit.freedesktop.org/packagekit/plain/policy/org.freedesktop.packagekit.policy.in
> along with rationale for each choice. Obvious ones to add to your list
> are:
> 
> org.freedesktop.packagekit.package-install
> org.freedesktop.packagekit.system-update
> org.freedesktop.packagekit.system-sources-refresh
> org.freedesktop.packagekit.system-network-proxy-configure

Oh, you already seem to allow a lot of stuff out of the box. While
neither of it looks like a root exploit maybe it would be wise to lock
down further.

So I think we should at least require admin auth for installing packages
and messing around with configuring proxies. It is probably fine to
still allow signed system updates. Or maybe that involves configuring
proxies as well? I don't know.

> >  - For this to be really useful, we need the User Account Editor that
> >   Matthias wrote about here
> 
> Yes, without a GUI, I don't think many people will know anything about
> desktop_admin_r, and just complain that PackageKit now asks for
> passwords a lot more than it used to.

That's my concern too. Maybe just add it as a FAQ for PackageKit as also
to the Fedora release notes.

> So, actions on my part:
> 
> 1. Make the upstream packagekit policy actions more locked down
> 2. Add the 4 actions listed above to the PolicyKit rpm list
> 3. Profit?

Sounds like a plan.

     David