On Mon, Jul 01, 2024 at 09:52:59PM +0100, Aoife Moloney wrote: > Wiki - https://fedoraproject.org/wiki/Changes/UnprivilegedDiskManagement > Discussion thread - > https://discussion.fedoraproject.org/t/f42-change-proposal-unprivileged-disk-management-system-wide/124334 > > This is a proposed Change for Fedora Linux. > This document represents a proposed Change. As part of the Changes > process, proposals are publicly announced in order to receive > community feedback. This proposal will only be implemented if approved > by the Fedora Engineering Steering Committee. > > == Summary == > This proposal adds a new dedicated `diskadmin` group, allowing users > to manage external drives without needing to be in the `wheel` group. You can use 'guestfish' to access drives without needing any permissions at all outside your regular user account. Rich. > It will also enable wheel users to unlock and mount external drives > without a password prompt. > > == Owner == > * Name: [[User:boredsquirrel| Henning]] > * Email: boredsquirrel@xxxxxxxxxxxxxxxxxx > > > > > == Detailed Description == > Currently, to mount or (LUKS) unlock external drives, users need to be > in the `wheel` group. Removing a user from the wheel group would > prevent them from using external drives. > > This enables an "admin" permission that is not tied to full root > access on the host system. > > It will be a change of the polkit rule `org.freedesktop.udisks2.rules` > like following: > > <pre> > polkit.addRule(function(action, subject) { > if ((action.id == "org.freedesktop.udisks2.encrypted-unlock-system" || > action.id == "org.freedesktop.udisks2.filesystem-mount-system") && > subject.active == true && subject.local == true && ( > subject.isInGroup("diskadmin") || subject.isInGroup("wheel"))) { > return polkit.Result.YES; > } > }); > </pre> > > == Feedback == > none yet > > == Benefit to Fedora == > This is a step towards the Confined Users goal. It enables a dedicated > action, the mounting and unlocking of external drives, without needing > all the other privileges that `wheel` users have. > > == Scope == > * Proposal owners: changing a single rule, testing with nonwheel users > in the `diskadmin` group on GNOME and KDE > > * Other developers: N/A > > * Release engineering: [https://pagure.io/releng/issues #Releng issue number] > > * Policies and guidelines: Documentation needs to get an additional > chapter on disk management with the `diskadmin` group. > > * Trademark approval: N/A (not needed for this Change) > > * Alignment with the Fedora Strategy: Not sure, as it adds a > nonstandard user group. > > > == Upgrade/compatibility impact == > The polkit rule will be added, users will not need to enter a password > if they are in these groups. No changes for users outside these > groups. > > > == How To Test == > On Atomic or traditional Fedora, place the above rule in > `/etc/polkit-1/rules.d/80-org.freedesktop.udisks2.rules`. > > This will be preferred over the default rule and you can test if it works. > > == User Experience == > By default, Anaconda puts users into the `wheel` group. These users > will not need to enter a password when mounting external media or > unlocking them. > > It also allows to do these actions without being in the `wheel` > group, by adding a user to the `diskadmin` group. > > == Dependencies == > > None > > == Contingency Plan == > > * Contingency mechanism: this is a simple fix, not adding it will keep > the previous wheel need > * Contingency deadline: N/A > * Blocks release? N/A > > > == Documentation == > Will be added afterwards. > > Nonwheel users can be added to the `diskadmin` group: > > > sudo groupadd diskadmin > sudo usermod -aG diskadmin USERNAME > > > > == Release Notes == > Users in the 'wheel' or 'diskadmin' group can mount and unlock > external drives without a password. > > > -- > Aoife Moloney > > Fedora Operations Architect > > Fedora Project > > Matrix: @amoloney:fedora.im > > IRC: amoloney > > -- > _______________________________________________ > devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue > -- > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
