On Mon, Jul 01, 2024 at 09:52:59PM +0100, Aoife Moloney wrote:
> Wiki - https://fedoraproject.org/wiki/Changes/UnprivilegedDiskManagement
> Discussion thread -
> https://discussion.fedoraproject.org/t/f42-change-proposal-unprivileged-disk-management-system-wide/124334
>
> This is a proposed Change for Fedora Linux.
> This document represents a proposed Change. As part of the Changes
> process, proposals are publicly announced in order to receive
> community feedback. This proposal will only be implemented if approved
> by the Fedora Engineering Steering Committee.
>
> == Summary ==
> This proposal adds a new dedicated `diskadmin` group, allowing users
> to manage external drives without needing to be in the `wheel` group.
You can use 'guestfish' to access drives without needing any
permissions at all outside your regular user account.
Rich.
> It will also enable wheel users to unlock and mount external drives
> without a password prompt.
>
> == Owner ==
> * Name: [[User:boredsquirrel| Henning]]
> * Email: boredsquir...@secure.mailbox.org
>
>
>
>
> == Detailed Description ==
> Currently, to mount or (LUKS) unlock external drives, users need to be
> in the `wheel` group. Removing a user from the wheel group would
> prevent them from using external drives.
>
> This enables an "admin" permission that is not tied to full root
> access on the host system.
>
> It will be a change of the polkit rule `org.freedesktop.udisks2.rules`
> like following:
>
> <pre>
> polkit.addRule(function(action, subject) {
> if ((action.id == "org.freedesktop.udisks2.encrypted-unlock-system" ||
> action.id == "org.freedesktop.udisks2.filesystem-mount-system") &&
> subject.active == true && subject.local == true && (
> subject.isInGroup("diskadmin") || subject.isInGroup("wheel"))) {
> return polkit.Result.YES;
> }
> });
> </pre>
>
> == Feedback ==
> none yet
>
> == Benefit to Fedora ==
> This is a step towards the Confined Users goal. It enables a dedicated
> action, the mounting and unlocking of external drives, without needing
> all the other privileges that `wheel` users have.
>
> == Scope ==
> * Proposal owners: changing a single rule, testing with nonwheel users
> in the `diskadmin` group on GNOME and KDE
>
> * Other developers: N/A
>
> * Release engineering: [https://pagure.io/releng/issues #Releng issue number]
>
> * Policies and guidelines: Documentation needs to get an additional
> chapter on disk management with the `diskadmin` group.
>
> * Trademark approval: N/A (not needed for this Change)
>
> * Alignment with the Fedora Strategy: Not sure, as it adds a
> nonstandard user group.
>
>
> == Upgrade/compatibility impact ==
> The polkit rule will be added, users will not need to enter a password
> if they are in these groups. No changes for users outside these
> groups.
>
>
> == How To Test ==
> On Atomic or traditional Fedora, place the above rule in
> `/etc/polkit-1/rules.d/80-org.freedesktop.udisks2.rules`.
>
> This will be preferred over the default rule and you can test if it works.
>
> == User Experience ==
> By default, Anaconda puts users into the `wheel` group. These users
> will not need to enter a password when mounting external media or
> unlocking them.
>
> It also allows to do these actions without being in the `wheel`
> group, by adding a user to the `diskadmin` group.
>
> == Dependencies ==
>
> None
>
> == Contingency Plan ==
>
> * Contingency mechanism: this is a simple fix, not adding it will keep
> the previous wheel need
> * Contingency deadline: N/A
> * Blocks release? N/A
>
>
> == Documentation ==
> Will be added afterwards.
>
> Nonwheel users can be added to the `diskadmin` group:
>
>
> sudo groupadd diskadmin
> sudo usermod -aG diskadmin USERNAME
>
>
>
> == Release Notes ==
> Users in the 'wheel' or 'diskadmin' group can mount and unlock
> external drives without a password.
>
>
> --
> Aoife Moloney
>
> Fedora Operations Architect
>
> Fedora Project
>
> Matrix: @amoloney:fedora.im
>
> IRC: amoloney
>
> --
> _______________________________________________
> devel-announce mailing list -- devel-annou...@lists.fedoraproject.org
> To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel-annou...@lists.fedoraproject.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
> --
> _______________________________________________
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
