Question - PolicyKit

David Zeuthen david at fubar.dk
Wed Jul 16 10:37:40 PDT 2008 

On Tue, 2008-07-15 at 16:20 -0400, dawg wrote:
> > Uh, that's why you can change the defaults as I explained in the earlier
> > mail. See, the defaults are chosen by the application developer. Of
> > course some administrators will want to change them. So we provide a
> > mechanism (e.g. polkit-action(1)) to do exactly that.
> >   
> I may have misunderstood you. Changing the default for the checkbox is 
> exactly what I want to do. It sounded like you were stating that it was 
> only possible to make it so that the "remember" option is *never* shown 
> (not what I want).

No, I'm talking about changing the defaults for an action; e.g. if the
default is

 auth_[self|admin] -> no checkboxes
 http://hal.freedesktop.org/docs/PolicyKit-gnome/auth-self.png

 auth_[self|admin]_keep_session -> a single checkbox
 http://hal.freedesktop.org/docs/PolicyKit-gnome/auth-retain-session.png

 auth_[self|admin]_keep_always -> two checkboxes
 http://hal.freedesktop.org/docs/PolicyKit-gnome/auth-retain-always.png

> I was not saying that it doesn't make sense to allow them to retain 
> authorization (I *want* it to in some cases), I am only saying it 
> doesn't make sense for the checkbox to be ticked by default if it 
> doesn't remember that it was unchecked in previous instances.

This doesn't make sense; either you want people to retain an
authorization or you don't. If you don't simply change the defaults with
the polkit-action(1) command line tool or the GNOME tool

http://people.freedesktop.org/~david/polkit-gnome-authorizations.png

Again, not checking the box when the dialog comes up is a _terrible_
default. The whole *idea* behind retaining authorizations is that it's a
boot-strap mechanism to let users accumulate authorizations. Which is
exactly what you want on a system without administrators (e.g. consumer
systems).

(as a side note: how to do this on set of managed systems using a
directory server using roles is something I'm planning to add pretty
soon; basically FreeIPA integration in PolicyKit. But more about that
later.)

> I happily let PolicyKit retain that authorization. 
> However, for example, I do *not* want a user to be able to uninstall 
> whatever they want. My family is not as familiar with Linux as I am 
> (indeed, I've completely broken my system by mistake while uninstalling 
> things in the past), but more to the point, someone could uninstall 
> security software such as firewalls, etc., which certainly is a security 
> concern. It might not even be the end user -- they might simply walk 
> away from their station at work or whatnot ever else.

So it would probably make sense to ask the PackageKit developers for a
separate PolicyKit action for uninstalling packages. Suggest that you
ask for that. Then when such an action is available you can simply
change the defaults such that the authorization can't be retained.

Oh, what do you know, it looks like it's there already

 $ polkit-action --action org.freedesktop.packagekit.remove
 action_id:        org.freedesktop.packagekit.remove
 description:      Remove package
 message:          Authentication is required to remove packages
 default_any:      no
 default_inactive: no
 default_active:   auth_admin_keep_always

So simply do this as root

 polkit-action --set-defaults-active org.freedesktop.packagekit.remove auth_admin

and you're good to go. Or use the UI. You can use
polkit-gnome-authorizations to easily scrub this authorizations from
other users (check the "[x] Show authorizations from all users" check
box, then use the "Revoke" button to revoke the authorizations.)

Does these steps solve the basic problem for you?

> On the other hand, if the user does not read the dialog and the default 
> is checked, they will have unwittingly changed a security setting on 
> their computer! And you are saying the former is worse?

No, this is perfectly fine. If the so-called "security setting" had to
do with an exploitable vector (e.g. retaining an authorization to
install unsigned software) it would be a _bug_ if the default allowed
the user to retain the authorization.

> > Maybe if you could come up with concrete examples of what problems you
> > have it would be useful, e.g. in what polkit authentication dialogs
> > (need the action name, see Details> in the dialog) do you run into where
> > you wish the "retain authorization" checkbox wasn't clicked by default?
> >   
> I don't want users (for example) to be able to uninstall programs which 
> are needed for system stability, security, or so on.

See above.

     David

More information about the polkit-devel mailing list