Fedora 12 to remove unprivileged package installation

Posted Nov 20, 2009 4:40 UTC (Fri) by drag (guest, #31333)
In reply to: Fedora 12 to remove unprivileged package installation by tkil
Parent article: Fedora 12 to remove unprivileged package installation

Yes. The role-based thing was not finished. That is why they defaulted to
"all local users".
<br><br>
This version of package kit is not configurable on a per-user basis and that
is the core of the problem.

Fedora 12 to remove unprivileged package installation

Posted Nov 20, 2009 4:43 UTC (Fri) by rahulsundaram (subscriber, #21946) [Link] (2 responses)

Actually, it *is* configurable using PolicyKit on a per user basis. Just doesn't have a GUI to do it in this release.

Fedora 12 to remove unprivileged package installation

Posted Nov 20, 2009 4:46 UTC (Fri) by drag (guest, #31333) [Link] (1 responses)

Just going off of what was said in the email:

"""
The idea was that the change in PolicyKit would be accompanied by a
default set of roles, and a nice user interface for assigning users to
roles. Unfortunately, with the constraints of time, it became clear that
this all (and especially the GUI) wasn't going to be there for Fedora
12. So, PackageKit needed a fixed policy for all users. For each action
(install signed packages, install unsigned packages, remove packages,
etc.), it needed to allow, deny, or ask for the root password.
"""

Fedora 12 to remove unprivileged package installation

Posted Nov 20, 2009 5:16 UTC (Fri) by rahulsundaram (subscriber, #21946) [Link]

Perhaps you misunderstood something but you can write policies yourself. Read man pklocalauthority for examples. It doesn't have a GUI.

Fedora 12 to remove unprivileged package installation

Posted Nov 20, 2009 5:51 UTC (Fri) by tkil (guest, #1787) [Link] (3 responses)

The thing is, it looks like the knobs that are getting exposed (regardless of whether or not there's a GUI) are the ones I want. I'm actually very fine with the old-school "you have to have root authority to do X" rules; what I want is to be able to use a sudo-like capability to show root authority using my own password, and not have to use root's.

*shrug* Not really that big of a deal, but it's something that I really like in OSX, and would like to have in Fedora. I'll look more closely at some of the options available now, to see if this capability is there and just turned off.

Fedora 12 to remove unprivileged package installation

Posted Nov 20, 2009 5:56 UTC (Fri) by tkil (guest, #1787) [Link]

Grr... stupid thinkos

The thing is, it looks like the knobs that are getting exposed (regardless of whether or not there's a GUI) are not the ones I want.

Fedora 12 to remove unprivileged package installation

Posted Nov 20, 2009 6:25 UTC (Fri) by AdamW (subscriber, #48457) [Link] (1 responses)

policykit is far more fine-grained both in terms of authentication methods and actions than _any_ previous system, including su and sudo.

with policykit you can require all sorts of types of authentication for any defined pk action, and actions are far more fine-grained (su and sudo can only make _entire processes_ run with changed privileges). authentication can be with root password, with user password, or with all sorts of other mechanisms. it's extremely powerful. so, yes, policykit would definitely allow you to do what you want if you configure it appropriately (allow any particular action with authentication via the user password).

Fedora 12 to remove unprivileged package installation

Posted Nov 20, 2009 6:40 UTC (Fri) by tkil (guest, #1787) [Link]

so, yes, policykit would definitely allow you to do what you want if you configure it appropriately (allow any particular action with authentication via the user password).

Spiffy! I'll definitely have to look into PK in a bit more depth than I have. Thanks for the info!