Bug 41008

Summary: Include sample policies in tarball
Product: PolicyKit Reporter: David Zeuthen (not reading bugmail) <zeuthen>
Component: daemonAssignee: David Zeuthen (not reading bugmail) <zeuthen>
Status: RESOLVED FIXED QA Contact: David Zeuthen (not reading bugmail) <zeuthen>
Severity: normal    
Priority: medium CC: biru.ionut, bugzilla, leftmostcat
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description David Zeuthen (not reading bugmail) 2011-09-19 08:15:15 UTC 
The Fedora policies e.g.

 http://pkgs.fedoraproject.org/gitweb/?p=polkit.git;a=blob;f=polkit.spec;h=e365234e34e0534796c725e1e0b5bcb3ce3a96fe;hb=HEAD#l85

should be included in the polkit tarball with a note that these are the suggested policies that downstreams are suggested to use but that they are free to modify anything they want (e.g. change the 'wheel' group name or the defaults).
Comment 1 David Zeuthen (not reading bugmail) 2011-12-06 07:43:44 UTC 
OK, this commit

http://cgit.freedesktop.org/PolicyKit/commit/?id=763faf434b445c20ae9529100d3ef5290976d0c9

is for the 'wheel' part of this change. As noted in NEWS, see


http://cgit.freedesktop.org/PolicyKit/commit/?id=8710055f9f3c8a4bd444210b86d7eea5a4a4f840

distributors who insist on being different can patch it out themselves.

For the other part, e.g.

 [Wheel Group Permissions]
 Identity=unix-group:wheel

Action=org.gnome.settingsdaemon.datetimemechanism.*;org.kde.kcontrol.kcmclock.save;org.freedesktop.RealtimeKit1.*;org.freedesktop.udisks.filesystem-mount-system-internal;org.freedesktop.hostname1.set-static-hostname
 ResultAny=auth_admin
 ResultInactive=auth_admin
 ResultActive=yes

that gives extra powers to members in 'wheel', I'm not so sure about.

I think the answer here is that the mechanisms should be more lenient and just
use ResultActive=yes instead of insisting that authentication is needed even
for mundane tasks ... after all, this is for users at the local console (of
course, paranoid security-minded distros can lock down as they see fit).

So for now I'm just going to nuke that stanza in the Fedora policy and if there
are complaints about annoying authentication attempts, I'm just going to punt
that to the Mechnanisms.

As such, I consider this bug fixed.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.