Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

polkit prompt shows multiple users #75075

Closed
nh2 opened this issue Dec 6, 2019 · 3 comments · Fixed by #75343
Closed

polkit prompt shows multiple users #75075

nh2 opened this issue Dec 6, 2019 · 3 comments · Fixed by #75343
Labels
0.kind: enhancement 6.topic: freedesktop 6.topic: nixos 6.topic: user experience 9.needs: changelog 9.needs: community feedback 9.needs: module (update)

Comments

@nh2
Copy link
Contributor

nh2 commented Dec 6, 2019

On 19.09, when you pkexec on NixOS with default settings and your user being part of unix group wheel, you get a prompt whether you want to get admin capabilities via your user or the root user.

This is somewhat inconvenient, because you always have to choose the user by clicking on it (or pressing a number key in the terminal); on other systems like Ubuntu, it somehow figures out that these two are identical and prompts immediately for the password.

In

nixpkgs/nixos/modules/security/polkit.nix

Line 45 in a7aa5db

default = [ "unix-user:0" "unix-group:wheel" ];

we have both [ "unix-user:0" "unix-group:wheel" ] as the default.

Setting it to [ "unix-group:wheel" ] only generates only 1 prompt.

What is the first one good for, should we just remove it from the default, given that adding users to the wheel is the default way of "making them admins"?

Or do we somehow want to depart from the unix group approach of making people admins?
@nh2 nh2 added the 0.kind: bug label Dec 6, 2019
@worldofpeace
Copy link
Contributor

These are the patches used in ubuntu and also debian

The default upstream for addAdminRule is

polkit.addAdminRule(function(action, subject) {
  return ["unix-group:wheel"];
});

So seemingly ubuntu and many other distro's aren't doing what we are doing.

We use

polkit.addAdminRule(function(action, subject) {
  return ["unix-user:0", "unix-group:wheel"];
});

for probably a specific reason at some point in time.

@worldofpeace
Copy link
Contributor

It appears to have been this way for a long time

My recommendation is we just use the default way it is in polkit.
As far as I can tell, given that adding users to the wheel is the default way of "making them admins" is how it's done in NixOS.

@nh2
Copy link
Contributor Author

nh2 commented Dec 6, 2019

These are the patches used in ubuntu and also debian

Right, most notably https://git.launchpad.net/ubuntu/+source/policykit-1/tree/debian/patches/05_revert-admin-identities-unix-group-wheel.patch?id=e82a9d8125f9d70cea47044d2fb4637ff6305725

which does

-AdminIdentities=unix-group:wheel
+AdminIdentities=unix-user:0

saying

On Red Hat derivatives, every member of group 'wheel' is necessarily privileged. On Debian derivatives, there is no wheel group, and gid 0 (root) is not used in this way. Change the default rule to consider uid 0 to be privileged, instead.

My recommendation is we just use the default way it is in polkit.

Seems reasonable to me as well

@worldofpeace worldofpeace mentioned this issue Dec 9, 2019
Merged
10 tasks
worldofpeace added a commit to worldofpeace/nixpkgs that referenced this issue Dec 10, 2019
@worldofpeace
nixos/polkit: remove root from adminIdentities
efc1c02 
Fixes NixOS#75075.

To summarize the report in the aforementioned issue, at a glance,
it's a different default than what upstream polkit has. Apparently
for 8+ years polkit defaults admin identities as members of
the wheel group [0]. This assumption would be appropriate on NixOS, where
every member of group 'wheel' is necessarily privileged.

[0]: https://gitlab.freedesktop.org/polkit/polkit/commit/763faf434b445c20ae9529100d3ef5290976d0c9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: enhancement 6.topic: freedesktop 6.topic: nixos 6.topic: user experience 9.needs: changelog 9.needs: community feedback 9.needs: module (update)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

nixos/polkit: remove root from adminIdentities worldofpeace/nixpkgs
2 participants
@nh2 @worldofpeace