Lock Down

[David Zeuthen]

Hey,

So one thing that isn't really easy with polkit right now is lock-down.
E.g. give away some privilege by default (e.g. use 'yes' for
<allow_active> in the policy file) but make it easy for an authorized
user to lock things down so authentication is required.

Well, up until now. First we add a new tool to lock down an action

 http://hal.freedesktop.org/docs/polkit/pklalockdown.1.html

This only works for the local authority but that's fine - other
authority implementations will most likely be for centralized directory
servers and this feature can be implemented in other ways there - e.g.
these kinds of setups typically have a dedicated web2.0++-based
administration console that scales to 100,000s of users.

The other part of this is using this new tool in PolkitLockButton. Up
until now, the PolkitLockButton widget was hidden if the process was
implicitly authorized. Now it's no longer hidden in this case, instead
it looks like this

 http://hal.freedesktop.org/docs/polkit-gtk/polkit-lock-button-lock-down.png
 (see http://hal.freedesktop.org/docs/polkit-gtk/polkit-gtk-1-polkitlockbutton.html
  for the context)

If the user clicks this button, the PolkitLockButton code just runs
pklalockdown(1). This typically results in an authentication dialog
(since locking down stuff is a privileged operation - you are taking
away stuff from _everyone_ by doing this). Anyway, if this operation
succeeds then the action is locked down (e.g. admin auth is always asked
for). The user can remove the lockdown by right-clicking the button -
this results in another authentication dialog.

Anyway, the bottom-line of all this work is that PolkitLockButton and
polkit itself is a lot more useful for use-cases where you grant a lot
of privilege to certain roles [1]. Use-case: 

 - Alice (the head of a household) puts users Bob and Carlos (her
   adolescent kids) into the desktop_user_r role (ideally using
   something like [2]). Alice herself is in desktop_admin_r along
   with her husband Dave (no relation to me, I'm just using names
   from [3]).

 - Users in the desktop_user_r role gets a lot of privileges for
   free - say, including the privilege to install trusted software
   (e.g. software signed by a trusted party, e.g. Fedora or Debian
   or whatever) without having to authenticate

 - Alice is unhappy that Bob and Carlos installs a lot of crap on
   the home machine and that they're falling behind in school. Alice
   goes into into "System->Administration->Add/Remove Software" [4]. She
   clicks the Lock with the title saying "Click to lock down",
   authenticates as the administrator (by authenticating as herself)
   and now only users in desktop_admin_r (Alice and Dave) can install
   new software.

This is of course just an example, I'm not sure Richard wants to add
this patch or if it's compatible with how PackageKit works. And maybe if
Richard wants to do the UI in a different way (say, a checkbox in a
preference dialog) he can do just that by invoking pklalockdown(1)
himself.

The point here, really, is that instead of really poor and crappy UI
like this

 http://people.freedesktop.org/~david/polkit-gnome-authorizations.png

we now make it extremely easy to lock down each application in a secure
manner. And, more importantly, we make it easy to do it _from_ the
application, no some crappy UI.

Feedback welcome.

Thanks,
David

[1] : "Roles and Policy" mail:
      https://www.redhat.com/archives/fedora-desktop-list/2009-August/msg00103.html

[2] : "A new user management tool" mail:
      https://www.redhat.com/archives/fedora-desktop-list/2008-May/msg00006.html

[3] : Alice and Bob
      http://en.wikipedia.org/wiki/Alice_and_Bob

[4] : Screenshot of PackageKit's Add/Remove Software:
      http://people.freedesktop.org/~david/Screenshot-Add-Remove%20Software.png