Hello, > We should chat with Miloslav Trmač (mitr) about this. I've added him to > CC, hi Miloslav! The goal here is to use polkit to express the rule > "local admins can perform the action without entering any password, but > non-admin users must enter an admin password."
Hum. Doesn’t http://fedoraproject.org/wiki/Privilege_escalation_policy require authentication at least with the users’ password? > I think the only way to > do that is currently to ship custom JavaScript rules, exactly what Jakub > does in the above patch; that's the approach that's taken by > gnome-control-center as well. AFAICS gnome-control-center is also violating the policy, so… Let’s say I’m not overall thrilled. I guess it would make sense to require password entry within the last $five minutes (so that e.g. there is no prompt shortly after unlocking the computer, but we would still prevent random people walking in to a computer and editing settings). > The polkit manual is pretty clear that applications should never do > this: > > "Authorization rules are intended for two specific audiences That thing is fairly impractical, https://bugzilla.redhat.com/show_bug.cgi?id=956005 . IMO, _that_ is not as much a blocker as the escalation policy above. > Since "auth_admin" always requires the admin password, I guess what > we're looking for would be something like "auth_if_nonadmin" that we > could use in <allow_active> in a policy file. I am very uneasy about blanked auth_if_nonadmin in any environment that is not physically secured (~ 2 different! people watching the computer to make sure nobody unauthorized is operating it), including the typical open-plan office. Not all physical access is the same; it is much easier to lean to a computer and type a single administrative command than to otherwise exploit an unlocked computer in the office (rebooting from an USB disk will be defeated by disk encryption, downloading and installing a keylogger running within the session requires a much larger amount of premediation). The above-mentioned ”authenticate within the last $five minutes” (or perhaps, more precisely, “no period of inactivity longer than $two minutes since last authentication”) solution would, I think, work reasonably well, and can be implemented as a polkit authentication agent without otherwise changing the rules. But at the moment the privilege escalation policy stands as it is, and AFAICS requires authentication. Mirek
