Adding more groups like "flatpak" to allow nonwheel users to do specific privileged tasks?

Project Discussion
, , ,
1

Currently there are certain things that require a user to be in the wheel group to use them.

I am thinking of mounting and decrypting LUKS SSDs on the PC, or managing systemwide flatpaks.

These two actions: mount & unlock, could be allowed to users in a certain group like this:

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.udisks2.encrypted-unlock-system" || action.id == "org.freedesktop.udisks2.filesystem-mount-system" &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("diskadmin")) {
        return polkit.Result.YES;
    }
});

for granting such granular permission, just like with plugdev or libvirt groups, a new group per permission would be helpful.

2

I like the idea, and I assume that you would need to have umount?

1 Like
3

Added adb, cups, libvirt

4

this belongs to the set of “wheel-less” things that need manual config

5

From Ask Fedora to Project Discussion

6

Added engineering, package-maintainers, problem, workstation-wg and removed adb, flatpak, libvirt, polkit, printing

7

I am currently writing a change proposal to edit the freedesktop Flatpak polkit rule, to allow users in the flatpak group to do all the actions too.

A rule for the disk unlock things is also planned.

Who wants to join? Write me a PM or on Matrix: boredsquirrel@fedora.im

8

What did you mean by this exactly?

9

Agreed ! If anyone is following my “side” project to auto update a luks encrypted external drive, I ran into this a couple of times. So much so, that I literally found a way to avoid the .mount files altogether ( and their complicated to the eye, use of x2 escape characters ) .

I need a refresher on what the groups are :laughing: :exclamation: , also would the change be for F42 ? too soon for F41 ?

I can also be reached on Matrix : @definitive_linux:matrix.org

10

This is the proposed rule, its under 20 changed characters hahaha. That doesnt mean it is quick… but I plan on F41.

https://fedoraproject.org/wiki/Changes/UnprivilegedSystemFlatpakManagement

Not sure about the name… a better word for “unprivileged” ? “rootless”?

11

You only have mount and unlock, umount is needed as well.

1 Like
12

So this?

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.udisks2.encrypted-unlock-system" ||
				action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
				action.id == "org.freedesktop.udisks2.umount") &&
        subject.active == true && subject.local == true && (
        subject.isInGroup("diskadmin") || subject.isInGroup("wheel"))) {
        return polkit.Result.YES;
    }
});

I dont have a way currently to test this, Dolphin doesnt request a password if I use the above rule, I invented the last action lol.

It needs to be tested on Silverblue too, then I create a Change Proposal to get this hopefully into 41 as it is also really small

13

I’m not a polkit expert, yet, but it looks reasonable.

14

So I missed the F41 submission deadline, the change proposals will poorly only land for F42.

The changes are here:

Please add needed disk actions where nonwheel users get a password prompt. And also maybe the name is not suiting well, “rootless” or “wheel-less” or “granular” may be better