On Mon, 2009-08-17 at 17:21 +0100, Richard Hughes wrote:
2009/8/13 David Zeuthen davidz@redhat.com:
- If the desktop_admin_r group is non-empty, then users in the group
are used for administrator authentication - see the polkit(8) man page for details: http://people.freedesktop.org/~david/pkexec-with-desktop-admin-r.png
Looks groovy.
but we probably want to allow installing trusted packages, install trusted updates and remove packages. Without asking for a password. Probably more - Richard?
The policy definitions are listed here, http://cgit.freedesktop.org/packagekit/plain/policy/org.freedesktop.packagek... along with rationale for each choice. Obvious ones to add to your list are:
org.freedesktop.packagekit.package-install org.freedesktop.packagekit.system-update org.freedesktop.packagekit.system-sources-refresh org.freedesktop.packagekit.system-network-proxy-configure
Oh, you already seem to allow a lot of stuff out of the box. While neither of it looks like a root exploit maybe it would be wise to lock down further.
So I think we should at least require admin auth for installing packages and messing around with configuring proxies. It is probably fine to still allow signed system updates. Or maybe that involves configuring proxies as well? I don't know.
- For this to be really useful, we need the User Account Editor that
Matthias wrote about here
Yes, without a GUI, I don't think many people will know anything about desktop_admin_r, and just complain that PackageKit now asks for passwords a lot more than it used to.
That's my concern too. Maybe just add it as a FAQ for PackageKit as also to the Fedora release notes.
So, actions on my part:
- Make the upstream packagekit policy actions more locked down
- Add the 4 actions listed above to the PolicyKit rpm list
- Profit?
Sounds like a plan.
David