From ed156ce88a903508cdccd587415b5de499712151 Mon Sep 17 00:00:00 2001 From: "R. Steve McKown" Date: Thu, 16 Aug 2012 08:47:27 -0600 Subject: [PATCH] Blog post polkit-admin --- in/blog/polkit-admin.md | 68 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 in/blog/polkit-admin.md diff --git a/in/blog/polkit-admin.md b/in/blog/polkit-admin.md new file mode 100644 index 0000000..cc4b919 --- /dev/null +++ b/in/blog/polkit-admin.md @@ -0,0 +1,68 @@ +title: PolicyKit and Administration +linktitle: polkit-admin +parent: 2012-08 +ctime: 2012-08-16 +mtime: 2012-08-16 + +Finally got around to looking into an issue I saw with Ubuntu 11.10 and 12.04. +These versions have PolicyKit rules that allow updating of software by users +in the admin and sudo groups without asking for an administrative password. +The logic is that administrative users know what they are doing, and that +installing new software still requires a password. And of course, users who +do not understand all this stuff are better to be effectively remotely +administrated by the Ubuntu team, via what gets pushed to the repositories. + +I get the rationale, but personally am not too fond of it. Perhaps this is +simply due to expectations brought on by nearly 30 years of POSIX like operating +systems experience. Thankfully the behavior is easily configurable, by changing +the instructions used by PolicyKit. + +The PolicyKit instructions for software updates and similar behaviors are found +in the file +`/var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla`. Rather +than change this file, copy this file to the local directory at +`/etc/polkit-1/localauthority/50-local.d/`, giving it the same name. + + sudo /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla \ + /etc/polkit-1/localauthority/50-local.d/ + +Next, edit the new file +`/etc/polkit-1/localauthority/50-local.d/com.ubuntu.desktop.pkla`. Remove the +entries for which you wish no change in behavior, then update those remaining +as desired. In my case, with a notebook computer, I elected to require an +administrative password for editing system-wide network connections, updating +already installed software, using the USB creator, and performing printer +administration. Say I am at a customer site and step away from my notebook +computer for a moment, forgetting first to lock the screen. These changes +prevent a host of unwanted changes, that might just be the kind of joke a few of +my customers might want to play on me! + +For reference, here is my resulting +`/etc/polkit-1/localauthority/50-local.d/com.ubuntu.desktop.pkla` file. + + [Adding or changing system-wide NetworkManager connections] + Identity=unix-group:admin;unix-group:sudo + Action=org.freedesktop.NetworkManager.settings.modify.system + ResultActive=auth_admin + + [Update already installed software] + Identity=unix-group:admin;unix-group:sudo + Action=org.debian.apt.upgrade-packages + ResultActive=auth_admin + + [usb-creator] + Identity=unix-group:admin;unix-group:sudo + Action=com.ubuntu.usbcreator.mount;com.ubuntu.usbcreator.image + ResultActive=auth_admin + + [Printer administration] + Identity=unix-group:lpadmin;unix-group:admin;unix-group:sudo + Action=org.opensuse.cupspkhelper.mechanism.* + ResultActive=auth_admin + +The direct solution was found +[here](https://lists.ubuntu.com/archives/ubuntu-users/2011-October/252871.html). +Other useful links include the PolicyKit manual +[configuration](http://hal.freedesktop.org/docs/PolicyKit/polkit-conf.html) +section and the +[Arch wiki page for PolicyKit](https://wiki.archlinux.org/index.php/PolicyKit). -- 2.39.2