[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Roles and Policy



2009/8/13 David Zeuthen <davidz redhat com>:
>  1. If the desktop_admin_r group is non-empty, then users in the group
>    are used for administrator authentication - see the polkit(8) man
>    page for details:
>    http://people.freedesktop.org/~david/pkexec-with-desktop-admin-r.png

Looks groovy.

>    but we probably want to allow installing trusted packages, install
>    trusted updates and remove packages. Without asking for a password.
>    Probably more - Richard?

The policy definitions are listed here,
http://cgit.freedesktop.org/packagekit/plain/policy/org.freedesktop.packagekit.policy.in
along with rationale for each choice. Obvious ones to add to your list
are:

org.freedesktop.packagekit.package-install
org.freedesktop.packagekit.system-update
org.freedesktop.packagekit.system-sources-refresh
org.freedesktop.packagekit.system-network-proxy-configure

>  - For this to be really useful, we need the User Account Editor that
>   Matthias wrote about here

Yes, without a GUI, I don't think many people will know anything about
desktop_admin_r, and just complain that PackageKit now asks for
passwords a lot more than it used to.

So, actions on my part:

1. Make the upstream packagekit policy actions more locked down
2. Add the 4 actions listed above to the PolicyKit rpm list
3. Profit?

Richard.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]