Merge pull request #75343 from worldofpeace/polkit-no-root-admin

nixos/polkit: remove root from adminIdentities
This commit is contained in:
worldofpeace 2019-12-10 20:24:23 -05:00 committed by GitHub
commit 50295a1201
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 3 deletions

View File

@ -225,6 +225,16 @@
The fourStore and fourStoreEndpoint modules have been removed.
</para>
</listitem>
<listitem>
<para>
Polkit no longer has the user of uid 0 (root) as an admin identity.
We now follow the upstream default of only having every member of the wheel
group admin privileged. Before it was root and members of wheel.
The positive outcome of this is pkexec GUI popups or terminal prompts
will no longer require the user to choose between two essentially equivalent
choices (whether to perform the action as themselves with wheel permissions, or as the root user).
</para>
</listitem>
</itemizedlist>
</section>

View File

@ -42,15 +42,14 @@ in
security.polkit.adminIdentities = mkOption {
type = types.listOf types.str;
default = [ "unix-user:0" "unix-group:wheel" ];
default = [ "unix-group:wheel" ];
example = [ "unix-user:alice" "unix-group:admin" ];
description =
''
Specifies which users are considered administrators, for those
actions that require the user to authenticate as an
administrator (i.e. have an <literal>auth_admin</literal>
value). By default, this is the <literal>root</literal>
user and all users in the <literal>wheel</literal> group.
value). By default, this is all users in the <literal>wheel</literal> group.
'';
};