Authorizing some users with root password and some with their own passwords
David Zeuthen
david at fubar.dk
Thu Jun 26 13:44:25 PDT 2008
(Moving the thread to polkit-devel)
On Wed, 2008-06-25 at 11:45 +0300, Gökçen Eraslan wrote:
> Tuesday 24 June 2008 Tarihinde 16:58:09 yazmıştı:
> > > On top of my head, why not add the root user to the wheel group? (Or if
> > > not suitable for the 'wheel' group due to sudo's usage of it, create a
> > > new group 'desktop_admin' etc.)
> >
> > Actually, root is in wheel group :) But, it is not included in the
> > admin_users parameter of PolKitGrantSelectAdminUser callback, although we
> > define wheel group as admin in PolicyKit.conf. Can this be a bug, or our
> > misuse of something?
>
> I've found that, in polkit_grant_helper.c, root user is explicitly skipped
> while adding users to group that is defined as admin (such as wheel):
>
> /* skip user 'root' since he is often member of 'wheel' etc. */
> if (strcmp (user, "root") == 0)
> continue;
>
> Why is this code added? If 'wheel' group is defined as admin, root should be
> included in the users list. Am I wrong?
Right I think the point of this code was that we didn't want the root
user to be shown in the drop-down menu
http://hal.freedesktop.org/docs/PolicyKit-gnome/auth-wheel-group-2.png
Either way, thinking more about your initial premise
Actually, we keep wheel group to use su/sudo only, our main goal
here is to ask their own passwords to admin users and root
password for users do not have admin privileges.
E.g. the premise being that a) the user is not in wheel/admin group; and
b) user knows the root password. So if a) and b) are true the user can
just add himself to the wheel/admin group. I think that's why I coded it
this way; e.g. the premise is flawed.
(Now you can say this is not true for networked environments (e.g. NIS,
LDAP) but my response to that is that you're going to need a new
PolicyKit backend for such environments. And btw, as mentioned earlier
such a backend is something that I'm working with the FreeIPA/IPA team
in Fedora/Red Hat on.)
That said, we might want to rework PolKitResult from being an
enumeration, e.g.
http://hal.freedesktop.org/docs/PolicyKit/polkit-polkit-result.html#PolKitResult
to a real class, e.g. with methods something like this
polkit_result_is_authorized()
polkit_result_can_obtain_authorization_through_authentication()
polkit_result_get_list_of_entities_that_can_authenticate()
...
perhaps including a way to specify the authentication method (e.g.
require multi-factor authentication for some actions) if we can do it in
a way that's not too icky (read: PAM in it's current form really sucks).
Alas, such a change of course involves breaking ABI so need to do this
before 1.0.
David
More information about the polkit-devel
mailing list