Description of problem: You should default to not save for the session and only for this session buttons. Administrators should be forced to click retain for the session and turn off only for this session. That way clicking the ok button is not insecure by default.
*** Bug 470330 has been marked as a duplicate of this bug. ***
I can specify that I want the authorizations for my actions retainable forever, for the session or not at all (depending in whether or not the user is in a session, whether it is active or not, etc.). To my knowledge, there is no way I can say that it should offer the possibility to retain, but not select it by default, and this is intentionally so, see http://lists.freedesktop.org/archives/polkit-devel/2008-July/000019.html for the reasoning. If it is possible to specify defaults different from that I'd like to learn about it. Changing component to PolicyKit.
Nils I talked to Jon Blandford and David Z and we came to the conclusion that you should just give them the right to hold to the end of the session. Admin Authentication I think is the correct. So I run system-config-*, I give the Root Password, and when system-config-* exits I loose the authentication, requiring me to reauthenticate next time I run the app.
Does this require policy changes, or code changes as well? Has anyone crafted a patch to policy/etc. for this?
This requires policy changes, not code. As it is now, for potentially harmful operations (i.e. something that changes the system instead of only retrieving information), I don't consider it safe to retain authorizations (be it for the remainder of the session or else) so I've changed the default policy for both -services and -samba to "auth_admin" which ties the authorization to that specific process. New versions have built or are building right now and I'll try to get them in for f10-final. This still needs some scrutiny from the PolicyKit POV, i.e. what to do about {user,admin}_keep_{session,always}.
Daniel, is this bug specifically about system-config-{samba,services} defaulting to retain authentication permanently? Can we close once we have builds for those two packages? If not - when does this stop being a blocker for F10 release?
Tags requested for new s-c-{samba,services} packages. Moving to MODIFIED.
Yes this is specific to the two packages.
Good deal. Packages built, signed and tagged: system-config-services-0.99.27-1.fc10 system-config-samba-1.2.67-1.fc10
(In reply to comment #8) > Yes this is specific to the two packages. No, it's not: I changed the PK default policy for both from auth_admin_keep_always to auth_admin only as a workaround. Using auth_admin limits the authorization to a specific running process and seemed the only sane way to save users from inadvertently opening up the ability to manipulate services/samba to every program the user is running (we were talking about malware in that context). At the moment, auth_{user,admin}_keep_{session,always} don't make much sense to me because either an action is innocent enough to not require any more credentials than already being in an authenticated session, or if it's not, it's to dangerous to keep the authentication because there's no way to keep potential malware from abusing it. Shall I open up a new Bugzilla for that or can we just recycle this one? This is something that should be solved by F11/RHEL6.
"...it's to dangerous to keep the authorization..." obviously
New bug, please.
Always this security paranoia... If people want to retain their authorization forever, they should be allowed to (no matter how insecure it is), it's their system (or else they can't authenticate with the root password in the first place!).
There is nothing preventing them from going in and doing just what you want. They can log in as root, run with no password. I don't care. But we Fedora, should not make it easy for them to do this by mistake.