You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On 19.09, when you pkexec on NixOS with default settings and your user being part of unix group wheel, you get a prompt whether you want to get admin capabilities via your user or the root user.
This is somewhat inconvenient, because you always have to choose the user by clicking on it (or pressing a number key in the terminal); on other systems like Ubuntu, it somehow figures out that these two are identical and prompts immediately for the password.
we have both [ "unix-user:0" "unix-group:wheel" ] as the default.
Setting it to [ "unix-group:wheel" ] only generates only 1 prompt.
What is the first one good for, should we just remove it from the default, given that adding users to the wheel is the default way of "making them admins"?
Or do we somehow want to depart from the unix group approach of making people admins?
The text was updated successfully, but these errors were encountered:
My recommendation is we just use the default way it is in polkit.
As far as I can tell, given that adding users to the wheel is the default way of "making them admins" is how it's done in NixOS.
On Red Hat derivatives, every member of group 'wheel' is necessarily privileged. On Debian derivatives, there is no wheel group, and gid 0 (root) is not used in this way. Change the default rule to consider uid 0 to be privileged, instead.
My recommendation is we just use the default way it is in polkit.
FixesNixOS#75075.
To summarize the report in the aforementioned issue, at a glance,
it's a different default than what upstream polkit has. Apparently
for 8+ years polkit defaults admin identities as members of
the wheel group [0]. This assumption would be appropriate on NixOS, where
every member of group 'wheel' is necessarily privileged.
[0]: https://gitlab.freedesktop.org/polkit/polkit/commit/763faf434b445c20ae9529100d3ef5290976d0c9
On 19.09, when you
pkexec
on NixOS with default settings and your user being part of unix groupwheel
, you get a prompt whether you want to get admin capabilities via your user or theroot
user.This is somewhat inconvenient, because you always have to choose the user by clicking on it (or pressing a number key in the terminal); on other systems like Ubuntu, it somehow figures out that these two are identical and prompts immediately for the password.
In
nixpkgs/nixos/modules/security/polkit.nix
Line 45 in a7aa5db
we have both
[ "unix-user:0" "unix-group:wheel" ]
as the default.Setting it to
[ "unix-group:wheel" ]
only generates only 1 prompt.What is the first one good for, should we just remove it from the default, given that adding users to the
wheel
is the default way of "making them admins"?Or do we somehow want to depart from the unix group approach of making people admins?
The text was updated successfully, but these errors were encountered: