For a while, "Administator" in the GNOME accounts dialog means "member of the desktop_admin_r" group. Membership of that group means
- PolicyKit will never ask for the root password - it will use users
in said group instead when admin authentication is needed
- It will give some more privileges to users in that group
See the polkit-desktop-policy package for details. Also see the polkit docs for more information about PolicyKit
Specifically, being a member of the desktop_admin_r groups means that the following works
[davidz@satan ~]$ pkexec bash
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/bash' as the super user
Authenticating as: David Zeuthen (davidz)
==== AUTHENTICATION COMPLETE ===
(a graphical dialog is used if in a supported graphical environment)
Additionally, firstboot recently gained check button that reads "Administrator" which, if clicked, puts the user in the wheel group. Additionally, the sudo config now allows users in the wheel group, once authenticated, to run commands as uid 0. Specifically,
[davidz@satan ~]$ sudo bash
[sudo] password for davidz:
I think it's highly problematic that we are using the word Administrator in different ways. I think this is a release blocker.
We can do one of two things
1. change GNOME accounts dialog (and its system D-Bus service) and the
polkit-desktop-policy pakcage to use the wheel group instead of
2. change firstboot to use desktop_admin_r
(Also, it's worth nothing that consolehelper isn't picking up the sudo stuff so it will continue to ask you for the root password...)
Btw, my suggestion would be to do 1. - it's just simpler and works out of the box... But.. there's the risk that some people might be upset that member of 'wheel' means that some system administration tasks (like updating the system with trusted signed OS vendor packages from a local console) can be carried out without authentication. But these people can of course override AdminIdenties by dropping a file in /etc/polkit-1/localauthority.conf.d/ ...
Created attachment 485855 [details]
Is there any reason we can't do both? The attached patch would put the user into both groups.
Well, you'd still have accountsservice only touching desktop_admin_r.
Note that overriding AdminIdentities breaks accountsservice/control-center, unless I'm misreading the code. (https://bugs.freedesktop.org/show_bug.cgi?id=35368)
(In reply to comment #3)
> Created attachment 485855 [details]
> Is there any reason we can't do both? The attached patch would put the user
> into both groups.
What happens if someone goes into the GNOME account tool and changes the type from "Administrator" to "Standard"? I mean, the user will no longer be in desktop_admin_r but will still be in wheel... which I think is too surprising and confusing...
It's much easier if we only have a single bit for "user is admin" (in the default install). Historically that bit has been the 'wheel' group (more or less).. it would be nice to just keep using that group for the polkit stuff.
(It would probably be helpful to study in detail how the 'wheel' group has been used and what expectations there are to the group...)
Talked to mclasen this morning and decided to work on patches for accountsservice, control-center and polkit-desktop-policy to switch to use the wheel group instead of the desktop_admin_r and desktop_user_r group.
(Btw, in the process we will nuke the "Supervised" account type from GNOME's accounts panel as well (since nothing is currently using it - it has no effect and is therefore misleading to the user).)
accountsservice patch: https://bugs.freedesktop.org/show_bug.cgi?id=35390
control-center patch: https://bugzilla.gnome.org/show_bug.cgi?id=645025
polkit changes are here: http://pkgs.fedoraproject.org/gitweb/?p=polkit.git;a=commitdiff;h=9fa422d5441f0d06e0b1d992cc3c270bc2c35c70
polkit build here: http://koji.fedoraproject.org/koji/taskinfo?taskID=2920142
When we have accountsservice and control-center packages, I'll file an update for all three packages. Thanks.
(In reply to comment #9)
> polkit build here: http://koji.fedoraproject.org/koji/taskinfo?taskID=2920142
> When we have accountsservice and control-center packages, I'll file an update
> for all three packages. Thanks.
Updated polkit build that fixes a typo pointed out by Bill:
polkit-0.101-3.fc15 has been submitted as an update for Fedora 15.
polkit-0.101-3.fc15, accountsservice-0.6.6-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.