diff options
author | worldofpeace <worldofpeace@protonmail.ch> | 2019-12-09 01:38:33 -0500 |
---|---|---|
committer | worldofpeace <worldofpeace@protonmail.ch> | 2019-12-09 19:11:09 -0500 |
commit | efc1c027ad6f2c0b31416c876dcf282539d45ea7 (patch) | |
tree | 15f508a4d9bdbb06e4c8826b241407de24775b27 /nixos | |
parent | 5bd1bd08ed4e7bc10a5d426b9b02e212e9a08f8b (diff) | |
download | nixpkgs-efc1c027ad6f2c0b31416c876dcf282539d45ea7.tar nixpkgs-efc1c027ad6f2c0b31416c876dcf282539d45ea7.tar.gz nixpkgs-efc1c027ad6f2c0b31416c876dcf282539d45ea7.tar.bz2 nixpkgs-efc1c027ad6f2c0b31416c876dcf282539d45ea7.tar.lz nixpkgs-efc1c027ad6f2c0b31416c876dcf282539d45ea7.tar.xz nixpkgs-efc1c027ad6f2c0b31416c876dcf282539d45ea7.tar.zst nixpkgs-efc1c027ad6f2c0b31416c876dcf282539d45ea7.zip |
nixos/polkit: remove root from adminIdentities
Fixes https://github.com/NixOS/nixpkgs/issues/75075. To summarize the report in the aforementioned issue, at a glance, it's a different default than what upstream polkit has. Apparently for 8+ years polkit defaults admin identities as members of the wheel group [0]. This assumption would be appropriate on NixOS, where every member of group 'wheel' is necessarily privileged. [0]: https://gitlab.freedesktop.org/polkit/polkit/commit/763faf434b445c20ae9529100d3ef5290976d0c9
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2003.xml | 10 | ||||
-rw-r--r-- | nixos/modules/security/polkit.nix | 5 |
2 files changed, 12 insertions, 3 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml index 886b16ef965..579b8d53744 100644 --- a/nixos/doc/manual/release-notes/rl-2003.xml +++ b/nixos/doc/manual/release-notes/rl-2003.xml @@ -225,6 +225,16 @@ The fourStore and fourStoreEndpoint modules have been removed. </para> </listitem> + <listitem> + <para> + Polkit no longer has the user of uid 0 (root) as an admin identity. + We now follow the upstream default of only having every member of the wheel + group admin privileged. Before it was root and members of wheel. + The positive outcome of this is pkexec GUI popups or terminal prompts + will no longer require the user to choose between two essentially equivalent + choices (whether to perform the action as themselves with wheel permissions, or as the root user). + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index f2b2df4004c..a6724bd7583 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -42,15 +42,14 @@ in security.polkit.adminIdentities = mkOption { type = types.listOf types.str; - default = [ "unix-user:0" "unix-group:wheel" ]; + default = [ "unix-group:wheel" ]; example = [ "unix-user:alice" "unix-group:admin" ]; description = '' Specifies which users are considered “administrators”, for those actions that require the user to authenticate as an administrator (i.e. have an <literal>auth_admin</literal> - value). By default, this is the <literal>root</literal> - user and all users in the <literal>wheel</literal> group. + value). By default, this is all users in the <literal>wheel</literal> group. ''; }; |