Bug 688363 - Administrator SNAFU
Summary: Administrator SNAFU
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: distribution
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Bill Nottingham
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-16 21:27 UTC by David Zeuthen
Modified: 2014-03-17 03:26 UTC (History)
4 users (show)

Fixed In Version: polkit-0.101-3.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-03-22 03:49:54 UTC


Attachments (Terms of Use)
0001-Use-desktop_admin_r-group-for-admin-users-688363.patch (1.01 KB, patch)
2011-03-16 21:50 UTC, Will Woods
no flags Details | Diff

Description David Zeuthen 2011-03-16 21:27:15 UTC
For a while, "Administator" in the GNOME accounts dialog means "member of the desktop_admin_r" group. Membership of that group means

 - PolicyKit will never ask for the root password - it will use users
   in said group instead when admin authentication is needed

 - It will give some more privileges to users in that group

See the polkit-desktop-policy package for details. Also see the polkit docs for more information about PolicyKit

 http://hal.freedesktop.org/docs/polkit/polkit.8.html
 http://hal.freedesktop.org/docs/polkit/pkexec.1.html

Specifically, being a member of the desktop_admin_r groups means that the following works

 [davidz@satan ~]$ pkexec bash
 ==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
 Authentication is needed to run `/bin/bash' as the super user
 Authenticating as: David Zeuthen (davidz)
 Password: 
 ==== AUTHENTICATION COMPLETE ===
 [root@satan ~]# 

 (a graphical dialog is used if in a supported graphical environment)

Additionally, firstboot recently gained check button that reads "Administrator" which, if clicked, puts the user in the wheel group. Additionally, the sudo config now allows users in the wheel group, once authenticated, to run commands as uid 0. Specifically,

 [davidz@satan ~]$ sudo bash
 [sudo] password for davidz: 
 [root@satan davidz]# 

works.

I think it's highly problematic that we are using the word Administrator in different ways. I think this is a release blocker.

Comment 1 David Zeuthen 2011-03-16 21:32:10 UTC
We can do one of two things

 1. change GNOME accounts dialog (and its system D-Bus service) and the
    polkit-desktop-policy pakcage to use the wheel group instead of
    desktop_admin_r

 2. change firstboot to use desktop_admin_r

(Also, it's worth nothing that consolehelper isn't picking up the sudo stuff so it will continue to ask you for the root password...)

Comment 2 David Zeuthen 2011-03-16 21:46:08 UTC
Btw, my suggestion would be to do 1. - it's just simpler and works out of the box... But.. there's the risk that some people might be upset that member of 'wheel' means that some system administration tasks (like updating the system with trusted signed OS vendor packages from a local console) can be carried out without authentication. But these people can of course override AdminIdenties by dropping a file in /etc/polkit-1/localauthority.conf.d/ ...

Comment 3 Will Woods 2011-03-16 21:50:20 UTC
Created attachment 485855 [details]
0001-Use-desktop_admin_r-group-for-admin-users-688363.patch

Is there any reason we can't do both? The attached patch would put the user into both groups.

Comment 4 Bill Nottingham 2011-03-16 21:55:50 UTC
Well, you'd still have accountsservice only touching desktop_admin_r.

Note that overriding AdminIdentities breaks accountsservice/control-center, unless I'm misreading the code. (https://bugs.freedesktop.org/show_bug.cgi?id=35368)

Comment 5 David Zeuthen 2011-03-16 22:00:21 UTC
(In reply to comment #3)
> Created attachment 485855 [details]
> 0001-Use-desktop_admin_r-group-for-admin-users-688363.patch
> 
> Is there any reason we can't do both? The attached patch would put the user
> into both groups.

What happens if someone goes into the GNOME account tool and changes the type from "Administrator" to "Standard"? I mean, the user will no longer be in desktop_admin_r but will still be in wheel... which I think is too surprising and confusing...

It's much easier if we only have a single bit for "user is admin" (in the default install). Historically that bit has been the 'wheel' group (more or less).. it would be nice to just keep using that group for the polkit stuff.

(It would probably be helpful to study in detail how the 'wheel' group has been used and what expectations there are to the group...)

Comment 6 David Zeuthen 2011-03-17 13:44:14 UTC
Talked to mclasen this morning and decided to work on patches for accountsservice, control-center and polkit-desktop-policy to switch to use the wheel group instead of the desktop_admin_r and desktop_user_r group.

(Btw, in the process we will nuke the "Supervised" account type from GNOME's accounts panel as well (since nothing is currently using it - it has no effect and is therefore misleading to the user).)

Comment 7 David Zeuthen 2011-03-17 14:40:18 UTC
accountsservice patch: https://bugs.freedesktop.org/show_bug.cgi?id=35390
control-center patch: https://bugzilla.gnome.org/show_bug.cgi?id=645025

Comment 9 David Zeuthen 2011-03-17 14:49:51 UTC
polkit build here: http://koji.fedoraproject.org/koji/taskinfo?taskID=2920142

When we have accountsservice and control-center packages, I'll file an update for all three packages. Thanks.

Comment 10 David Zeuthen 2011-03-17 14:56:11 UTC
(In reply to comment #9)
> polkit build here: http://koji.fedoraproject.org/koji/taskinfo?taskID=2920142
> 
> When we have accountsservice and control-center packages, I'll file an update
> for all three packages. Thanks.

Updated polkit build that fixes a typo pointed out by Bill:

 http://koji.fedoraproject.org/koji/taskinfo?taskID=2920175

Comment 11 Fedora Update System 2011-03-17 21:28:04 UTC
polkit-0.101-3.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/polkit-0.101-3.fc15

Comment 12 Fedora Update System 2011-03-22 03:49:49 UTC
polkit-0.101-3.fc15, accountsservice-0.6.6-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.