| Summary: | pklocalauthority: unable to block access for all users except certain group members | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Chris Mackowski <cmackows> |
| Component: | polkit | Assignee: | Miloslav Trmač <mitr> |
| Status: | CLOSED ERRATA | QA Contact: | Martin Žember <mzember> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.2 | CC: | cww, ebenes, jjennings, ksrot, mitr, mzember, ngreene, pvn |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | polkit-0.96-6.el6 | Doc Type: | Enhancement |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-10-14 07:27:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 782183, 835616, 947781, 994246 | ||
|
Description
Chris Mackowski
2012-04-15 23:49:04 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.
Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Chris, according to pklocalauthority(8), "For each group identity, the authorization entries are consulted in order ... Finally, the authorization entries are consulted using the user identity in the same manner. Note that processing continues even after a match." I think this means that any rule you write with Identity=unix-user:(something), that matches the user, will trump every rule you write with Identity=unix-group:(something) matching a group the user is in -- which appears to be what you observed. You could take advantage of the fact that every Unix user is in at least one Unix group, and deny authorization for unix-group:* (rather than unix-user:*), then allow it for unix-group:the-cool-people. That may work, and it's what I'm about to try at my site. Also according to pklocalauthority(8) you should probably put your files under /etc/polkit-1 rather than /var/lib/polkit-1. Denying everyone but allowing a group is common enough that it should possibly be talked about before the existing example in pklocalauthority(8) about including a group but excluding some individuals. In fact, here in the DoD, I'm not supposed to grant or deny permissions to any individual user at all, but instead use groups or roles. So I'll probably never write "Identity=unix-user:bla" matches at all. Hi Matthias, Can you give me your thoughts on the progress and current status of BZ? The customer asked about it 2 weeks in a row but I did not have a status for them. Any info that you can share would be helpful. Thanks. - Nick Greene. Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. This request will be considered in a future release of Red Hat Enterprise Linux. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1533.html |