How to prevent by default any non-wheel (standard) users from use polkit?

Hi.

I like to hardened security of my system (Fedora Linux).
I want to make any new user account created will be by default has no any admin power at all. I mean by that has no su/sudo/polkit powers & unable to use any of them.

Regarding sudo we have no problem in Fedora because it is always configured in such a way that any newly created user account will not be by default in wheel group

Regarding su, we can manage it as easy as such:
sudo vi /etc/pam.d/su
then uncomment the following line:
#auth required pam_wheel.so use_uid
to be:
auth required pam_wheel.so use_uid
then save & exit & finally reboot

The problem is with polkit, because by default any new user account created on Fedora will be able to use, for example GNOME center, to install new software even if it has neither sudo nor su access … This is great problem …

I need to now how can I make Fedora to prevent by default any newly created user account from being able to use polkit (& subsequently block any backend like PackageKit or frontend like GNOME software that depend on it from use it) at all.

Polkit is an entire authentication framework, not just something that hands out privileged access. Afaik the usual default policy is auth_admin which requires administrator password (not just the user password like sudo), so this isn’t too much of an issue overall.

@nokia808 welcome to the community! Please do take a minute to go over posts in the #start-here catgories if you’ve not yet had a chance.

@refi64 glad to see you here on Ask Fedora!

I’m an old member in Ask Fedora, but it seem that you reset this site so it asked me to create account when I signed to it. I already read #start-here.

Please any help regarding my question ?

To me it is big concern ! I’m never like any standard user account (non wheel user) to be able to:

• add new software by GNOME software
• modify setting of Firewalld
• Network connections
• dnfdragora
• “Users & groups”
• “Unlock” option of “Date & time” in system setting

all these can be used by non-wheel user accounts via polkit ! And most dangerous of all these are GNOME software because it does not asked for password while all other ask non-wheel user account to enter sudo password …

I want to block non-wheel users from touch polkit at all & prevent them from any authentication power !

Any help please ?

U can try add rules ,example to config datetime .

/etc/polkit-1/rules.d/22-myrules.rules

polkit.addRule(function(action, subject) {
if (action.id == “org.gnome.controlcenter.datetime.configure”) {
if (subject.isInGroup(“wheel”)) {
return polkit.Result.YES;
} else {
return polkit.Result.NO;
}
}
});

To list all actions .

pkaction

man polkit

This seem to be time wasting & need user to know all applications that should set rules for them & by this way user can escape some of them simply because she/he may do not some or few or one of them …

Is there a global way to block any application or package or service (in non-wheel user account) from touch polkit ? This my need from this issue. I did not expect that it is such difficult !

Edit: by the way, just few minutes ago, I discover following file:

/etc/pam.d/polkit-1

it is similar to the /etc/pam.d/su that used to configure su & block it from used by any non-wheel user from using it at all - see my 1st post above

So, could /etc/pam.d/polkit-1 used in similar way to block any non-wheel user from using polkit at all ? If yes, then what I should added to this file ? The default output of this file is as following:

#%PAM-1.0

auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

Any help please ?

I feel that we approaching from solution !

What about this

polkit.addRule(function(action, subject) {
if (action.id ) {
if (subject.isInGroup(“wheel”)) {
return polkit.Result.YES;
} else {
return polkit.Result.NO;
}
}
});

Note I do not know how true this is ,try at your own risk Because wheel group will have a rules stronger powers than before .(google translate)

I found this link on Internet:

https://bbs.archlinux.org/viewtopic.php?id=246975

User share same security concern about polkit & made to solve it by adding the following line: auth required pam_wheel.so use_uid to etc/pam.d/polkit-1 to be as following:

#%PAM-1.0

auth       required     pam_wheel.so use_uid
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

Also, he talk about overriding this add when updated pam package & asking if it is normal or a bug …

Any one can confirm this method, please ?

By the way (though other topic): I noticed that “etc/pam.d/su-l” on Fedora different from that on Archlinux ! In Fedora there is no “auth required pam_wheel.so use_uid” at all ! And here I would asking how Fedora then configure sudo to be available only for wheel group ??
“etc/pam.d/su” & “etc/pam.d/polkit-1” both are same on both Fedora & Archlinux, but “etc/pam.d/su-l” are differ ! Moreover I examine “etc/pam.d/sudo” on Fedora & it is:

#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
session    include      system-auth

Not necessarily agreeing, but the method @youssefmsourani gave is arguably the more correct way to do things. Try this (UNTESTED):

polkit.addRule(function(action, subject) {
  if (subject.isInGroup(“wheel”)) {
    return polkit.Result.NOT_HANDLED;
  } else {
  return polkit.Result.NO;
  }
});

Drop that in /etc/polkit-1/rules.d/00-block-non-wheel.rules (you need to be root to access that folder, easy way would be via gedit admin:///etc/polkit-1/rules.d/00-block-non-wheel.rules). That should reject anything not by wheel, but anything wheel does will follow the normal auth mechanisms.