Questions about new policyKit and desktop_admin-user groups

Renato Granzoto renato.granzoto at gmail.com
Tue Nov 17 03:42:31 PST 2009


Hi Guys,

   first of all, sorry if these are too simple questions, but I have read
the documentation page and still have some questions :

 1 - While we don't have an user editor interface that handles
desktop_user and desktop_admin tags,
      I am going to add all of my users to desktop_admin_r group.
It's a regular workstation, not on
      a production/critical environment. I am doing this because I
would like to avoid the users to be
      prompted for root-password.  Does it make sense ?  Does anyone
here have any concerns about it ?

 2 - I saw that inside the file
"/var/lib/polkit-1/localauthority/10-vendor.d/10-desktop-policy.pkla"
     we have distinct rules for desktop_user_r and desktop_admin_r
groups, and the desktop_admin_r rule
     that controls this :
     Action=org.gnome.clockapplet.mechanism.*;org.freedesktop.devicekit.disks.*;org.freedesktop.RealtimeKit1.*

     Under the directory "/usr/share/polkit-1/actions/" we have some
extra policies, like "org.fedoraproject.config.firewall.policy".

     My question here is :  Let's suppose I want to allow all  users
on desktop_admin_r group to access system-config-firewall without
     the need to type the root password.  I would add
"org.fedoraproject.config.firewall.*" to the Action line listed below
?

     I did it during my tests and it worked fine, but I am not sure if
it's safe/correct.

  Thanks a lot

Renato


More information about the polkit-devel mailing list