[Pkg-utopia-maintainers] Bug#536490: Bug#536490: Bug#536490: New fix

Sat Sep 18 00:28:22 UTC 2010

On Sat, Sep 18, 2010 at 12:33:31AM +0200, Michael Biebl wrote:
> Have been discussing this further with Joss. The way to go, as it currently
> looks like, is to let policykit-1 ship a file like
> # cat /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf
> [Configuration]
> AdminIdentities=unix-group:sudo
> 
> And the installer, when in sudo mode, simply adds the user to group sudo.
> 
> Adding the IRC discussion for reference:
> 
> > [23:41:25] <Np237> mbiebl, any news from the idea of having policykit privileges for people from the "sudo" group ?
> > [23:41:49] <Np237> (for the record I finally reported the bug against user-setup)
> > [23:42:38] <mbiebl> no news besides what we discussed a while back
> > [23:42:50] <mbiebl> I don't remember the details anymore unfortunately
> > [23:42:52] <Np237> Could you implement that in PK in parallel?
> > [23:43:02] <mbiebl> did we copy that to a bug report
> > [23:43:13] <Np237> Not that I remember
> > [23:43:29] <Np237> The idea was to add a policy file to make users from that group have auth_admin replaced by auth_self
> > [23:43:34] <mbiebl> if sudo is to meant to be the "admin" group or equivalent to the admin group in Ubuntu
> > [23:43:47] <Np237> Yeah, it’s named “sudo” in Debian
> > [23:44:09] <mbiebl> then I'd basically just need to copy what pitti already added to the packed
> > [23:44:20] <mbiebl> but installs conditionally for ubuntu only
> > [23:44:25] <Np237> I only saw patches to policykit, not for policykit-1
> > [23:44:44] <Np237> ah ok it’s already in the source
> > [23:45:46] <mbiebl> http://git.debian.org/?p=pkg-utopia/policykit.git;a=blob;f=debian/rules;h=4f8abb74b056bcdbd2b4decc610f09d17038e514;hb=HEAD
> > [23:45:53] <Np237> you just need to replace unix-group:admin by unix-group:sudo then
> > [23:46:16] <mbiebl> that's the whole pk customization that is done for pk afair
> > [23:46:27] <mbiebl> done for ubuntu, i mean
> > [23:46:45] <Np237> ISTR live-helper has something similar
> > [23:47:39] <mbiebl> we should really track this issue(s) in a bug report via user tags or a wiki
> > [23:48:27] <Np237> A usertag for two bugs?
> > [23:48:52] <mbiebl> if it's really only two packages, then no
> > [23:49:07] <Np237> Well only user-setup and policykit-1 require changes, AFAIK
> > [23:50:09] <mbiebl> user-setup will simply add the user to group sudo when installed in sudo modus
> > [23:50:16] <mbiebl> i guess that is the bug you filed?
> > [23:50:34] <Np237> Yes
> > [23:50:46] <Np237> This would already work for sudo
> > [23:50:58] <Np237> (and is much better than adding the user by hand to sudoers)
> > [00:08:31] <mbiebl> let's see: added myself to sudo group and created the aforementioned conf file: works, I'm prompted for my password
> > [00:08:57] <mbiebl> now, will need to check, if I remove myself from sudo group again, if it prompts me for the root password
> > [00:12:18] <mbiebl> ok, works too
> > [00:12:30] <Np237> \o/
> > [00:12:38] <mbiebl> now, what if I add a second user, add this one to sudo
> > [00:15:15] <mbiebl> ok, it will then prompt me, for the password of the second user
> > [00:15:20] <mbiebl> and not the root pw anymore
> > [00:15:39] <mbiebl> not ideal but I guess not a showstopper either
> > [00:16:53] <mbiebl> Np237: do you have the # for the user-setup bug?
> > [00:17:25] <Np237> mbiebl, #597239
> > [00:20:00] <Np237> kov, I have also not given hope in pestering you enough so that you upload gksu-polkit :)
> > [00:20:14] <mbiebl> Now, I just need to decide if it's better to just ship that file in policykit-1 or sudo
> > [00:20:29] <Np237> I think in policykit-1
> > [00:20:47] <Np237> If the group doesn’t exist for one reason or another, it’s just harmless
> > [00:21:19] <mbiebl> ok, I'd need to test that, but i guess pk will correctly fallback to prompt-for-root
> 
> Also CCing Josh here, as he filed #566586 which is similar to this bug report
> and should probably merged.
> 
> Josh, please speak up if the aforementioned proposal does not suit your needs
> and we have to to keep track of that in a separate bug report.

The proposed change certainly seems to make sense for group sudo, since
by current default that group has sudo permission with their own
password.

For the purposes of bug 566586, though, I'd like to have a group which
doesn't need to enter a password at all, rather than one which needs to
enter their own password. 

I use the following configuration:

~$ cat /etc/polkit-1/localauthority/50-local.d/01-josh.pkla
[Admin]
Identity=unix-user:josh
Action=*
ResultActive=yes

This configuration makes PolicyKit automatically accept any request from
me if on the console.

The equivalent with unix-group:somegroup would simplify this to just
"adduser josh somegroup".

- Josh Triplett