Re: F42 Change Proposal: Unprivileged Disk Management (system-wide)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jul 01, 2024 at 09:52:59PM +0100, Aoife Moloney wrote:
> Wiki - https://fedoraproject.org/wiki/Changes/UnprivilegedDiskManagement
> Discussion thread -
> https://discussion.fedoraproject.org/t/f42-change-proposal-unprivileged-disk-management-system-wide/124334
> 
> This is a proposed Change for Fedora Linux.
> This document represents a proposed Change. As part of the Changes
> process, proposals are publicly announced in order to receive
> community feedback. This proposal will only be implemented if approved
> by the Fedora Engineering Steering Committee.
> 
> == Summary ==
> This proposal adds a new dedicated `diskadmin` group, allowing users
> to manage external drives without needing to be in the `wheel` group.

You can use 'guestfish' to access drives without needing any
permissions at all outside your regular user account.

Rich.

> It will also enable wheel users to unlock and mount external drives
> without a password prompt.
> 
> == Owner ==
> * Name: [[User:boredsquirrel| Henning]]
> * Email: boredsquirrel@xxxxxxxxxxxxxxxxxx
> 
> 
> 
> 
> == Detailed Description ==
> Currently, to mount or (LUKS) unlock external drives, users need to be
> in the `wheel` group. Removing a user from the wheel group would
> prevent them from using external drives.
> 
> This enables an "admin" permission that is not tied to full root
> access on the host system.
> 
> It will be a change of the polkit rule `org.freedesktop.udisks2.rules`
> like following:
> 
> <pre>
> polkit.addRule(function(action, subject) {
>     if ((action.id == "org.freedesktop.udisks2.encrypted-unlock-system" ||
>         action.id == "org.freedesktop.udisks2.filesystem-mount-system") &&
>         subject.active == true && subject.local == true && (
>         subject.isInGroup("diskadmin") || subject.isInGroup("wheel"))) {
>         return polkit.Result.YES;
>     }
> });
> </pre>
> 
> == Feedback ==
> none yet
> 
> == Benefit to Fedora ==
> This is a step towards the Confined Users goal. It enables a dedicated
> action, the mounting and unlocking of external drives, without needing
> all the other privileges that `wheel` users have.
> 
> == Scope ==
> * Proposal owners: changing a single rule, testing with nonwheel users
> in the `diskadmin` group on GNOME and KDE
> 
> * Other developers: N/A
> 
> * Release engineering: [https://pagure.io/releng/issues #Releng issue number]
> 
> * Policies and guidelines: Documentation needs to get an additional
> chapter on disk management with the `diskadmin` group.
> 
> * Trademark approval: N/A (not needed for this Change)
> 
> * Alignment with the Fedora Strategy: Not sure, as it adds a
> nonstandard user group.
> 
> 
> == Upgrade/compatibility impact ==
> The polkit rule will be added, users will not need to enter a password
> if they are in these groups. No changes for users outside these
> groups.
> 
> 
> == How To Test ==
> On Atomic or traditional Fedora, place the above rule in
> `/etc/polkit-1/rules.d/80-org.freedesktop.udisks2.rules`.
> 
> This will be preferred over the default rule and you can test if it works.
> 
> == User Experience ==
> By default, Anaconda puts users into the `wheel` group. These users
> will not need to enter a password when mounting external media or
> unlocking them.
> 
> It also allows to do these actions without being in the `wheel`
> group, by adding a user to the `diskadmin` group.
> 
> == Dependencies ==
> 
> None
> 
> == Contingency Plan ==
> 
> * Contingency mechanism: this is a simple fix, not adding it will keep
> the previous wheel need
> * Contingency deadline: N/A
> * Blocks release? N/A
> 
> 
> == Documentation ==
> Will be added afterwards.
> 
> Nonwheel users can be added to the `diskadmin` group:
> 
> 
>   sudo groupadd diskadmin
>   sudo usermod -aG diskadmin USERNAME
> 
> 
> 
> == Release Notes ==
> Users in the 'wheel' or 'diskadmin' group can mount and unlock
> external drives without a password.
> 
> 
> -- 
> Aoife Moloney
> 
> Fedora Operations Architect
> 
> Fedora Project
> 
> Matrix: @amoloney:fedora.im
> 
> IRC: amoloney
> 
> -- 
> _______________________________________________
> devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
> -- 
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top

-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux