Cannot express "group yes, others no" in pkla file
Submitted by Matt McCutchen
Assigned to David Zeuthen @david
Description
On my Fedora 12 system, the default policy for action org.freedesktop.packagekit.system-update for processes on the active console is to allow without authentication. My system is sometimes used by people I don't fully trust, so to avoid any surprises, I wanted to create a pkla file to allow group "wheel" and deny everyone else. Surprisingly, it seems to be impossible to achieve this simple configuration under the current semantics for pkla files.
I could create a group containing all users /except/ "wheel", but I really shouldn't have to do that, so let's suppose no such group exists. My pkla file looks like this:
[section-deny] Identity=XXX Action=org.freedesktop.packagekit.system-update ResultActive=auth_admin_keep
[section-allow] Identity=unix-group:wheel Action=org.freedesktop.packagekit.system-update ResultActive=yes
The question is what identity XXX to specify for the deny section. According to the "EVALUATION ORDER" section of the pklocalauthority(8) man page, the entire set of pkla files is processed once for each group and then once for the user. So what identity can I specify that is guaranteed to match all users, yet run before the allow so that the allow takes priority for users in "wheel"? The order of processing of groups is undocumented, so there is none. The current implementation appears to process groups in the reverse order of their listing in /etc/group, but I shouldn't have to rely on that.
Adding support for an Identity value "everyone" that is processed before groups would solve my problem. However, I'm wondering whether the current approach of going through all files once for each group/user is useful at all. The main thing it enables is having a user deny override a group allow, which IMO is not a sound approach to security.