summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
authorworldofpeace <worldofpeace@protonmail.ch>2019-12-09 01:38:33 -0500
committerworldofpeace <worldofpeace@protonmail.ch>2019-12-09 19:11:09 -0500
commitefc1c027ad6f2c0b31416c876dcf282539d45ea7 (patch)
tree15f508a4d9bdbb06e4c8826b241407de24775b27 /nixos
parent5bd1bd08ed4e7bc10a5d426b9b02e212e9a08f8b (diff)
downloadnixpkgs-efc1c027ad6f2c0b31416c876dcf282539d45ea7.tar
nixpkgs-efc1c027ad6f2c0b31416c876dcf282539d45ea7.tar.gz
nixpkgs-efc1c027ad6f2c0b31416c876dcf282539d45ea7.tar.bz2
nixpkgs-efc1c027ad6f2c0b31416c876dcf282539d45ea7.tar.lz
nixpkgs-efc1c027ad6f2c0b31416c876dcf282539d45ea7.tar.xz
nixpkgs-efc1c027ad6f2c0b31416c876dcf282539d45ea7.tar.zst
nixpkgs-efc1c027ad6f2c0b31416c876dcf282539d45ea7.zip
nixos/polkit: remove root from adminIdentities
Fixes https://github.com/NixOS/nixpkgs/issues/75075.

To summarize the report in the aforementioned issue, at a glance,
it's a different default than what upstream polkit has. Apparently
for 8+ years polkit defaults admin identities as members of
the wheel group [0]. This assumption would be appropriate on NixOS, where
every member of group 'wheel' is necessarily privileged.

[0]: https://gitlab.freedesktop.org/polkit/polkit/commit/763faf434b445c20ae9529100d3ef5290976d0c9
Diffstat (limited to 'nixos')
-rw-r--r--nixos/doc/manual/release-notes/rl-2003.xml10
-rw-r--r--nixos/modules/security/polkit.nix5
2 files changed, 12 insertions, 3 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml
index 886b16ef965..579b8d53744 100644
--- a/nixos/doc/manual/release-notes/rl-2003.xml
+++ b/nixos/doc/manual/release-notes/rl-2003.xml
@@ -225,6 +225,16 @@
      The fourStore and fourStoreEndpoint modules have been removed.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     Polkit no longer has the user of uid 0 (root) as an admin identity.
+     We now follow the upstream default of only having every member of the wheel
+     group admin privileged. Before it was root and members of wheel.
+     The positive outcome of this is pkexec GUI popups or terminal prompts
+     will no longer require the user to choose between two essentially equivalent
+     choices (whether to perform the action as themselves with wheel permissions, or as the root user).
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 
diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix
index f2b2df4004c..a6724bd7583 100644
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@@ -42,15 +42,14 @@ in
 
     security.polkit.adminIdentities = mkOption {
       type = types.listOf types.str;
-      default = [ "unix-user:0" "unix-group:wheel" ];
+      default = [ "unix-group:wheel" ];
       example = [ "unix-user:alice" "unix-group:admin" ];
       description =
         ''
           Specifies which users are considered “administrators”, for those
           actions that require the user to authenticate as an
           administrator (i.e. have an <literal>auth_admin</literal>
-          value).  By default, this is the <literal>root</literal>
-          user and all users in the <literal>wheel</literal> group.
+          value).  By default, this is all users in the <literal>wheel</literal> group.
         '';
     };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-02 07:44:03 +0000