Hey, I've just added a new subpackage in the polkit SRPM called polkit-desktop-policy. This package will add two new system groups (the trailing _r signifies these are really roles, not ordinary groups) - desktop_admin_r - desktop_user_r The patch is here http://cvs.fedoraproject.org/viewvc/devel/polkit/polkit.spec?r1=1.8&r2=1.9 It works like this 1. If the desktop_admin_r group is non-empty, then users in the group are used for administrator authentication - see the polkit(8) man page for details: http://hal.freedesktop.org/docs/polkit/polkit.8.html If the desktop_admin_r group is empty, we just ask for the root password instead. For example, the following is a screenshot where the users davidz and bateman are in the desktop_admin_r group: http://people.freedesktop.org/~david/pkexec-with-desktop-admin-r.png 2. Second, if you are member of the desktop_admin_r group, then you should be allowed to do a lot of things without being interrupted by authentication dialogs. This part isn't complete, for now, it includes org.gnome.clockapplet.mechanism.* - set timezone and system time org.freedesktop.devicekit.disks.* - all storage related things org.freedesktop.RealtimeKit1.* - run real-time processes but we probably want to allow installing trusted packages, install trusted updates and remove packages. Without asking for a password. Probably more - Richard? 3. Third, if you are a member of the desktop_user_r group then you should be allowed to do a number of things - not as much as the desktop_admin_r role, but things like setting the time zone. For now, we only include org.gnome.clockapplet.mechanism.settimezone A couple of notes - As we add/remove mechanisms (e.g. privileged apps using polkit), we need to update this package. That's fine. - For this to be really useful, we need the User Account Editor that Matthias wrote about here https://www.redhat.com/archives/fedora-desktop-list/2008-May/msg00006.html Sadly no work has been done on this yet. Anyway, the main point is that we can add something like this Account Type (*) Standard User ( ) Administrative User to this tool. We can also add more roles, e.g. "Restricted User" and also tailor policy for the mythical guest account. - This is opt-in. If you don't want to use this, just don't add any users to the desktop_admin_r or desktop_user_r groups. Heck, just uninstall the package. Second, other third-party packages can easily override this thanks to how the polkit local authority works (see the pklocalauthority(8) man page for details). - This should put an end to the (IMO misguided) request "please add first user to the 'wheel' group". The new 'wheel' is 'desktop_admin_r' and the new sudo(1) is pkexec(1). (Of course sudo(1) will still continue to work but it is not what we officially want to support. PolicyKit is, however) - With support in the OS installer for automatically adding the first user to desktop_admin_r, we should be close to actually doing installs without the concept of a root password... Of course this is not 100% useful until a) the OS installer knows about this; and b) we have an User Account Editor. But it is 90% there. Finally, Matthias, can someone please add polkit-desktop-policy to the default desktop install? Thanks. David -- Fedora-desktop-list mailing list Fedora-desktop-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-desktop-list
