On Mon, 2009-08-17 at 17:21 +0100, Richard Hughes wrote: > 2009/8/13 David Zeuthen <davidz@xxxxxxxxxx>: > > 1. If the desktop_admin_r group is non-empty, then users in the group > > are used for administrator authentication - see the polkit(8) man > > page for details: > > http://people.freedesktop.org/~david/pkexec-with-desktop-admin-r.png > > Looks groovy. > > > but we probably want to allow installing trusted packages, install > > trusted updates and remove packages. Without asking for a password. > > Probably more - Richard? > > The policy definitions are listed here, > http://cgit.freedesktop.org/packagekit/plain/policy/org.freedesktop.packagekit.policy.in > along with rationale for each choice. Obvious ones to add to your list > are: > > org.freedesktop.packagekit.package-install > org.freedesktop.packagekit.system-update > org.freedesktop.packagekit.system-sources-refresh > org.freedesktop.packagekit.system-network-proxy-configure Oh, you already seem to allow a lot of stuff out of the box. While neither of it looks like a root exploit maybe it would be wise to lock down further. So I think we should at least require admin auth for installing packages and messing around with configuring proxies. It is probably fine to still allow signed system updates. Or maybe that involves configuring proxies as well? I don't know. > > - For this to be really useful, we need the User Account Editor that > > Matthias wrote about here > > Yes, without a GUI, I don't think many people will know anything about > desktop_admin_r, and just complain that PackageKit now asks for > passwords a lot more than it used to. That's my concern too. Maybe just add it as a FAQ for PackageKit as also to the Fedora release notes. > So, actions on my part: > > 1. Make the upstream packagekit policy actions more locked down > 2. Add the 4 actions listed above to the PolicyKit rpm list > 3. Profit? Sounds like a plan. David -- Fedora-desktop-list mailing list Fedora-desktop-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-desktop-list
