Hey,
I've just added a new subpackage in the polkit SRPM called polkit-desktop-policy. This package will add two new system groups (the trailing _r signifies these are really roles, not ordinary groups)
- desktop_admin_r - desktop_user_r
The patch is here
http://cvs.fedoraproject.org/viewvc/devel/polkit/polkit.spec?r1=1.8&r2=1...
It works like this
1. If the desktop_admin_r group is non-empty, then users in the group are used for administrator authentication - see the polkit(8) man page for details:
http://hal.freedesktop.org/docs/polkit/polkit.8.html
If the desktop_admin_r group is empty, we just ask for the root password instead.
For example, the following is a screenshot where the users davidz and bateman are in the desktop_admin_r group:
http://people.freedesktop.org/~david/pkexec-with-desktop-admin-r.png
2. Second, if you are member of the desktop_admin_r group, then you should be allowed to do a lot of things without being interrupted by authentication dialogs. This part isn't complete, for now, it includes
org.gnome.clockapplet.mechanism.* - set timezone and system time org.freedesktop.devicekit.disks.* - all storage related things org.freedesktop.RealtimeKit1.* - run real-time processes
but we probably want to allow installing trusted packages, install trusted updates and remove packages. Without asking for a password. Probably more - Richard?
3. Third, if you are a member of the desktop_user_r group then you should be allowed to do a number of things - not as much as the desktop_admin_r role, but things like setting the time zone. For now, we only include
org.gnome.clockapplet.mechanism.settimezone
A couple of notes
- As we add/remove mechanisms (e.g. privileged apps using polkit), we need to update this package. That's fine.
- For this to be really useful, we need the User Account Editor that Matthias wrote about here
https://www.redhat.com/archives/fedora-desktop-list/2008-May/msg00006.html
Sadly no work has been done on this yet. Anyway, the main point is that we can add something like this
Account Type
(*) Standard User ( ) Administrative User
to this tool. We can also add more roles, e.g. "Restricted User" and also tailor policy for the mythical guest account.
- This is opt-in. If you don't want to use this, just don't add any users to the desktop_admin_r or desktop_user_r groups. Heck, just uninstall the package. Second, other third-party packages can easily override this thanks to how the polkit local authority works (see the pklocalauthority(8) man page for details).
- This should put an end to the (IMO misguided) request "please add first user to the 'wheel' group". The new 'wheel' is 'desktop_admin_r' and the new sudo(1) is pkexec(1). (Of course sudo(1) will still continue to work but it is not what we officially want to support. PolicyKit is, however)
- With support in the OS installer for automatically adding the first user to desktop_admin_r, we should be close to actually doing installs without the concept of a root password...
Of course this is not 100% useful until a) the OS installer knows about this; and b) we have an User Account Editor. But it is 90% there.
Finally, Matthias, can someone please add polkit-desktop-policy to the default desktop install? Thanks.
David