--- /dev/null
+title: PolicyKit and Administration
+linktitle: polkit-admin
+parent: 2012-08
+ctime: 2012-08-16
+mtime: 2012-08-16
+
+Finally got around to looking into an issue I saw with Ubuntu 11.10 and 12.04.
+These versions have PolicyKit rules that allow updating of software by users
+in the admin and sudo groups without asking for an administrative password.
+The logic is that administrative users know what they are doing, and that
+installing new software still requires a password. And of course, users who
+do not understand all this stuff are better to be effectively remotely
+administrated by the Ubuntu team, via what gets pushed to the repositories.
+
+I get the rationale, but personally am not too fond of it. Perhaps this is
+simply due to expectations brought on by nearly 30 years of POSIX like operating
+systems experience. Thankfully the behavior is easily configurable, by changing
+the instructions used by PolicyKit.
+
+The PolicyKit instructions for software updates and similar behaviors are found
+in the file
+`/var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla`. Rather
+than change this file, copy this file to the local directory at
+`/etc/polkit-1/localauthority/50-local.d/`, giving it the same name.
+
+ sudo /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla \
+ /etc/polkit-1/localauthority/50-local.d/
+
+Next, edit the new file
+`/etc/polkit-1/localauthority/50-local.d/com.ubuntu.desktop.pkla`. Remove the
+entries for which you wish no change in behavior, then update those remaining
+as desired. In my case, with a notebook computer, I elected to require an
+administrative password for editing system-wide network connections, updating
+already installed software, using the USB creator, and performing printer
+administration. Say I am at a customer site and step away from my notebook
+computer for a moment, forgetting first to lock the screen. These changes
+prevent a host of unwanted changes, that might just be the kind of joke a few of
+my customers might want to play on me!
+
+For reference, here is my resulting
+`/etc/polkit-1/localauthority/50-local.d/com.ubuntu.desktop.pkla` file.
+
+ [Adding or changing system-wide NetworkManager connections]
+ Identity=unix-group:admin;unix-group:sudo
+ Action=org.freedesktop.NetworkManager.settings.modify.system
+ ResultActive=auth_admin
+
+ [Update already installed software]
+ Identity=unix-group:admin;unix-group:sudo
+ Action=org.debian.apt.upgrade-packages
+ ResultActive=auth_admin
+
+ [usb-creator]
+ Identity=unix-group:admin;unix-group:sudo
+ Action=com.ubuntu.usbcreator.mount;com.ubuntu.usbcreator.image
+ ResultActive=auth_admin
+
+ [Printer administration]
+ Identity=unix-group:lpadmin;unix-group:admin;unix-group:sudo
+ Action=org.opensuse.cupspkhelper.mechanism.*
+ ResultActive=auth_admin
+
+The direct solution was found
+[here](https://lists.ubuntu.com/archives/ubuntu-users/2011-October/252871.html).
+Other useful links include the PolicyKit manual
+[configuration](http://hal.freedesktop.org/docs/PolicyKit/polkit-conf.html)
+section and the
+[Arch wiki page for PolicyKit](https://wiki.archlinux.org/index.php/PolicyKit).
projects / oss-web.git / commitdiff