Authorizing some users with root password and some with their own passwords

Gökçen Eraslan gokcen at pardus.org.tr
Tue Jun 24 06:58:09 PDT 2008 

Monday 23 June 2008 Tarihinde 18:59:06 yazmıştı:
> On Wed, 2008-06-18 at 22:37 +0300, Gökçen Eraslan wrote:
> > In Pardus 2008, we heavily use policykit.
>
> Didn't you guys also work on a Qt/KDE authentication agent similar to
> PolicyKit-gnome? Any pointers to that code and it's state? (at least the
> Fedora KDE people are interested in it)

Policykit-kde[1] is near complete, we use it in Pardus 2008.  Since dbus-qt3 
binding has some issues about activation, we use it as a daemon, 
unfortunately.

>
> > While adding a
> > user in installer (YALI) or in user management GUI (user-manager) we ask
> > if the user that will be added has admin privileges or not.
>
> Cool. Note that there's work going on to create a mechanism accessible
> via D-Bus to do this as well. And also GTK+ UI to use that mechanism.
>
> https://www.redhat.com/archives/fedora-desktop-list/2008-May/msg00006.html
>
> It would be good to get everyone to use the same non-UI bits at least. I
> don't think a lot of this code is written yet though. Anyway, just
> thought it would be useful to mention.

We use COMAR[2] (which already uses DBus and PolicyKit) for management of 
users (and also network, screen, time/date etc). Now, it doesn't have enough 
documentation, and code needs some cleaning, but with a little effort it can 
be used as a distribution-neutral solution for system management.

>
> On top of my head, why not add the root user to the wheel group? (Or if
> not suitable for the 'wheel' group due to sudo's usage of it, create a
> new group 'desktop_admin' etc.)

Actually, root is in wheel group :) But, it is not included in the admin_users 
parameter of PolKitGrantSelectAdminUser callback, although we define wheel 
group as admin in PolicyKit.conf. Can this be a bug, or our misuse of 
something?

>
> Frankly said, I think the whole concept is a bit flawed; either you
> define administrator authentication as a set of users (e.g. the wheel
> group), otherwise you stick to having a superuser (e.g. root). I just
> don't think it makes sense to have two levels of administrators...
>

Actually, we keep wheel group to use su/sudo only, our main goal here is to 
ask  their own passwords to admin users and root password for users do not 
have admin privileges. 

> Anyway, note that doc/TODO says that the config file is going away (this
> was added on 2007-11-22 so hardly a new thing). Instead, I think the way
> it's going to work is that admin authentication will be defined as the
> set of users having an authorization, say.
>
>  org.freedesktop.policykit.is-considered-admin
>  (better name wanted)
>
> I also want to add
>
>  org.freedesktop.policykit.can-obtain-authorization-through-authentication
>  (again, better name wanted)
>
> and by default grant this authorization to everyone.

Cool, we are looking forward to this :)

>
>       David
>
>
> _______________________________________________
> hal mailing list
> hal at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/hal

[1] https://svn.pardus.org.tr/uludag/trunk/PolicyKit-kde/
[2] https://svn.pardus.org.tr/uludag/trunk/comar/

-- 
Gökçen Eraslan

More information about the hal mailing list