Wiki - https://fedoraproject.org/wiki/Changes/UnprivilegedDiskManagement Discussion thread - https://discussion.fedoraproject.org/t/f42-change-proposal-unprivileged-disk-management-system-wide/124334 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == This proposal adds a new dedicated `diskadmin` group, allowing users to manage external drives without needing to be in the `wheel` group. It will also enable wheel users to unlock and mount external drives without a password prompt. == Owner == * Name: [[User:boredsquirrel| Henning]] * Email: boredsquirrel@xxxxxxxxxxxxxxxxxx == Detailed Description == Currently, to mount or (LUKS) unlock external drives, users need to be in the `wheel` group. Removing a user from the wheel group would prevent them from using external drives. This enables an "admin" permission that is not tied to full root access on the host system. It will be a change of the polkit rule `org.freedesktop.udisks2.rules` like following: <pre> polkit.addRule(function(action, subject) { if ((action.id == "org.freedesktop.udisks2.encrypted-unlock-system" || action.id == "org.freedesktop.udisks2.filesystem-mount-system") && subject.active == true && subject.local == true && ( subject.isInGroup("diskadmin") || subject.isInGroup("wheel"))) { return polkit.Result.YES; } }); </pre> == Feedback == none yet == Benefit to Fedora == This is a step towards the Confined Users goal. It enables a dedicated action, the mounting and unlocking of external drives, without needing all the other privileges that `wheel` users have. == Scope == * Proposal owners: changing a single rule, testing with nonwheel users in the `diskadmin` group on GNOME and KDE * Other developers: N/A * Release engineering: [https://pagure.io/releng/issues #Releng issue number] * Policies and guidelines: Documentation needs to get an additional chapter on disk management with the `diskadmin` group. * Trademark approval: N/A (not needed for this Change) * Alignment with the Fedora Strategy: Not sure, as it adds a nonstandard user group. == Upgrade/compatibility impact == The polkit rule will be added, users will not need to enter a password if they are in these groups. No changes for users outside these groups. == How To Test == On Atomic or traditional Fedora, place the above rule in `/etc/polkit-1/rules.d/80-org.freedesktop.udisks2.rules`. This will be preferred over the default rule and you can test if it works. == User Experience == By default, Anaconda puts users into the `wheel` group. These users will not need to enter a password when mounting external media or unlocking them. It also allows to do these actions without being in the `wheel` group, by adding a user to the `diskadmin` group. == Dependencies == None == Contingency Plan == * Contingency mechanism: this is a simple fix, not adding it will keep the previous wheel need * Contingency deadline: N/A * Blocks release? N/A == Documentation == Will be added afterwards. Nonwheel users can be added to the `diskadmin` group: sudo groupadd diskadmin sudo usermod -aG diskadmin USERNAME == Release Notes == Users in the 'wheel' or 'diskadmin' group can mount and unlock external drives without a password. -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
