pyrox.dev / nixpkgs
lol
fork atom

nixos/polkit: remove root from adminIdentities

Fixes https://github.com/NixOS/nixpkgs/issues/75075.

To summarize the report in the aforementioned issue, at a glance,
it's a different default than what upstream polkit has. Apparently
for 8+ years polkit defaults admin identities as members of
the wheel group [0]. This assumption would be appropriate on NixOS, where
every member of group 'wheel' is necessarily privileged.

[0]: https://gitlab.freedesktop.org/polkit/polkit/commit/763faf434b445c20ae9529100d3ef5290976d0c9

worldofpeace efc1c027 5bd1bd08

options
unified split
Changed files
+12 -3
nixos
doc
manual
release-notes
rl-2003.xml
modules
security
polkit.nix
+10
nixos/doc/manual/release-notes/rl-2003.xml 
···

       
225

       
225

       
 

       
     The fourStore and fourStoreEndpoint modules have been removed.


     

       
226

       
226

       
 

       
    </para>


     

       
227

       
227

       
 

       
   </listitem>


     

       

       
228

       
+

       
   <listitem>


     

       

       
229

       
+

       
    <para>


     

       

       
230

       
+

       
     Polkit no longer has the user of uid 0 (root) as an admin identity.


     

       

       
231

       
+

       
     We now follow the upstream default of only having every member of the wheel


     

       

       
232

       
+

       
     group admin privileged. Before it was root and members of wheel.


     

       

       
233

       
+

       
     The positive outcome of this is pkexec GUI popups or terminal prompts


     

       

       
234

       
+

       
     will no longer require the user to choose between two essentially equivalent


     

       

       
235

       
+

       
     choices (whether to perform the action as themselves with wheel permissions, or as the root user).


     

       

       
236

       
+

       
    </para>


     

       

       
237

       
+

       
   </listitem>


     

       
228

       
238

       
 

       
  </itemizedlist>


     

       
229

       
239

       
 

       
 </section>


     

       
230

       
240
+2 -3
nixos/modules/security/polkit.nix 
···

       
42

       
42

       
 

       



     

       
43

       
43

       
 

       
    security.polkit.adminIdentities = mkOption {


     

       
44

       
44

       
 

       
      type = types.listOf types.str;


     

       
45

       

       
-

       
      default = [ "unix-user:0" "unix-group:wheel" ];


     

       

       
45

       
+

       
      default = [ "unix-group:wheel" ];


     

       
46

       
46

       
 

       
      example = [ "unix-user:alice" "unix-group:admin" ];


     

       
47

       
47

       
 

       
      description =


     

       
48

       
48

       
 

       
        ''


     

       
49

       
49

       
 

       
          Specifies which users are considered “administrators”, for those


     

       
50

       
50

       
 

       
          actions that require the user to authenticate as an


     

       
51

       
51

       
 

       
          administrator (i.e. have an <literal>auth_admin</literal>


     

       
52

       

       
-

       
          value).  By default, this is the <literal>root</literal>


     

       
53

       

       
-

       
          user and all users in the <literal>wheel</literal> group.


     

       

       
52

       
+

       
          value).  By default, this is all users in the <literal>wheel</literal> group.


     

       
54

       
53

       
 

       
        '';


     

       
55

       
54

       
 

       
    };


     

       
56

       
55