Authorizing some users with root password and some with their own passwords
David Zeuthen
david at fubar.dk
Mon Jun 23 08:59:06 PDT 2008
On Wed, 2008-06-18 at 22:37 +0300, Gökçen Eraslan wrote:
> In Pardus 2008, we heavily use policykit.
Didn't you guys also work on a Qt/KDE authentication agent similar to
PolicyKit-gnome? Any pointers to that code and it's state? (at least the
Fedora KDE people are interested in it)
> While adding a
> user in installer (YALI) or in user management GUI (user-manager) we ask if
> the user that will be added has admin privileges or not.
Cool. Note that there's work going on to create a mechanism accessible
via D-Bus to do this as well. And also GTK+ UI to use that mechanism.
https://www.redhat.com/archives/fedora-desktop-list/2008-May/msg00006.html
It would be good to get everyone to use the same non-UI bits at least. I
don't think a lot of this code is written yet though. Anyway, just
thought it would be useful to mention.
> We want users that have admin privileges can do any action (like installing a
> package, deleting a user etc.) using only his/her own password, and the users
> do not have admin privileges use the root password to do these actions.
>
> We have tried 2 ways of doing this:
>
> 1- Adding a line to PolicyKit.conf like <define_admin_auth group="wheel"/>
> and, adding the users we want to give admin privileges to the wheel group.
>
> This has worked fine for users in wheel group, they can do all actions using
> their own passwords but, the users that are not in wheel group also, required
> to enter password of a user in wheel group although we want them to do
> actions by entering the root password, not password of a user in wheel group.
>
> 2- Adding lines below:
>
> <match user="hede">
> <return result="auth_self_keep_always"/>
> </match>
>
> for each user we want to give admin privileges. This time, all actions that
> require "auth_admin*", are started to require "auth_self_keep_always". This
> is fine, but this rule also overrides the actions that has policy
> type "yes". This causes actions do not ask password, to ask users their own
> passwords :)
>
> Is there any sane solution for this scenario?
On top of my head, why not add the root user to the wheel group? (Or if
not suitable for the 'wheel' group due to sudo's usage of it, create a
new group 'desktop_admin' etc.)
Frankly said, I think the whole concept is a bit flawed; either you
define administrator authentication as a set of users (e.g. the wheel
group), otherwise you stick to having a superuser (e.g. root). I just
don't think it makes sense to have two levels of administrators...
Anyway, note that doc/TODO says that the config file is going away (this
was added on 2007-11-22 so hardly a new thing). Instead, I think the way
it's going to work is that admin authentication will be defined as the
set of users having an authorization, say.
org.freedesktop.policykit.is-considered-admin
(better name wanted)
I also want to add
org.freedesktop.policykit.can-obtain-authorization-through-authentication
(again, better name wanted)
and by default grant this authorization to everyone.
David
More information about the hal
mailing list