Evaluating membership of an AD group for polkit authorization

zero four zfnoctis at gmail.com
Sun Nov 20 23:34:19 UTC 2016


Hi,

I am attempting to join Linux workstations to a relatively large domain
(150k users, 50k groups) using sssd, and I am wanting to allow members of
specific AD groups to perform elevated actions using polkit.  Currently
sssd cannot handle that many nested groups and users without setting
"ignore_group_members = true". However it appears that polkit verifies a
user's authorization by enumerating all members of the authorized groups
and then determining if the user is in that list, rather than looking up
the group memberships of the user attempting elevation.  This results in
polkit showing zero users as having the ability to elevate privileges.  I
believe sudo evaluates group memberships of the user, which would explain
why I can add AD groups to the sudoers file and have it work, even though
"ignore_group_members = true" is set in sssd.conf.

I understand that this may seem like a problem solely with sssd, but it
does appear to be a less efficient way of determining elevation rights for
users, at least in this case.  Would it be possible for polkit to instead
check the group memberships of the user attempting elevation, or at least
make that a configuration option for polkit?

If my understanding of how polkit evaluates group memberships is completely
wrong I apologize, my limited grasp of C led me to believe the relevant
code was lines 2174 to 2212 of polkitbackendinteractiveauthority.c.

Thank you for your time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/polkit-devel/attachments/20161120/4d88e603/attachment.html>


More information about the polkit-devel mailing list