diff options
author | Richard Hughes <richard@hughsie.com> | 2009-07-15 10:22:02 +0100 |
---|---|---|
committer | Richard Hughes <richard@hughsie.com> | 2009-07-15 10:22:02 +0100 |
commit | a2610210a1dd0a207b8090cc5ceea93ac50c4d85 (patch) | |
tree | 66db4e1e2d76e0d71c71a6c6f5d7b3e9310c85a8 /policy | |
parent | 3999deb4a72798f4feba10046e0197d0492b615a (diff) |
Add some rationalle to the chosen PolicyKit policy decisions
Diffstat (limited to 'policy')
-rw-r--r-- | policy/org.freedesktop.packagekit.policy.in | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/policy/org.freedesktop.packagekit.policy.in b/policy/org.freedesktop.packagekit.policy.in index c683de73c..e7d000b47 100644 --- a/policy/org.freedesktop.packagekit.policy.in +++ b/policy/org.freedesktop.packagekit.policy.in @@ -14,6 +14,11 @@ <icon_name>package-x-generic</icon_name> <action id="org.freedesktop.packagekit.cancel-foreign"> + <!-- SECURITY: + - Normal users are allowed to cancel their own task without + authentication, but a different user id needs the admin password + to cancel another users task. + --> <_description>Cancel foreign task</_description> <_message>Authentication is required to cancel a task that was not started by yourself</_message> <icon_name>package-x-generic</icon_name> @@ -25,6 +30,12 @@ </action> <action id="org.freedesktop.packagekit.package-install"> + <!-- SECURITY: + - Normal users do not need authentication to install signed packages + from signed repositories, as this cannot exploit a system. + - Paranoid users (or parents!) can change this to 'auth_admin' or + 'auth_admin_keep'. + --> <_description>Install signed package</_description> <_message>Authentication is required to install a signed package</_message> <icon_name>package-x-generic</icon_name> @@ -36,6 +47,12 @@ </action> <action id="org.freedesktop.packagekit.package-install-untrusted"> + <!-- SECURITY: + - Normal users require admin authentication to install untrusted or + unrecognised packages, as allowing users to do this without a + password would be a massive security hole. + - This is not retained as each package should be authenticated. + --> <_description>Install untrusted local file</_description> <_message>Authentication is required to install an untrusted package</_message> <icon_name>package-x-generic</icon_name> @@ -47,6 +64,12 @@ </action> <action id="org.freedesktop.packagekit.system-trust-signing-key"> + <!-- SECURITY: + - Normal users require admin authentication to add signing keys. + - This implies adding an explicit trust, and should not be granted + without a secure authentication. + - This is not kept as each package should be authenticated. + --> <_description>Trust a key used for signing packages</_description> <_message>Authentication is required to consider a key used for signing packages as trusted</_message> <icon_name>package-x-generic</icon_name> @@ -58,6 +81,12 @@ </action> <action id="org.freedesktop.packagekit.package-eula-accept"> + <!-- SECURITY: + - Normal users do not require admin authentication to accept new + licence agreements. + - Change this to 'auth_admin' for environments where users should not + be given the option to make legal decisions. + --> <_description>Accept EULA</_description> <_message>Authentication is required to accept a EULA</_message> <icon_name>package-x-generic</icon_name> @@ -69,6 +98,15 @@ </action> <action id="org.freedesktop.packagekit.package-remove"> + <!-- SECURITY: + - Normal users require admin authentication to remove packages as + this can make the system unbootable or stop other applications from + working. + - Be sure to close the tool used to remove the packages after the + admin authentication has been obtained, otherwise packages can still + be removed. If this is not possible, change this authentication to + 'auth_admin'. + --> <_description>Remove package</_description> <_message>Authentication is required to remove packages</_message> <icon_name>package-x-generic</icon_name> @@ -80,6 +118,13 @@ </action> <action id="org.freedesktop.packagekit.system-update"> + <!-- SECURITY: + - Normal users do not require admin authentication to update the + system as the packages will be signed, and the action is required + to update the system when unattended. + - Changing this to anything other than 'yes' will break unattended + updates. + --> <_description>Update packages</_description> <_message>Authentication is required to update packages</_message> <icon_name>package-x-generic</icon_name> @@ -91,6 +136,11 @@ </action> <action id="org.freedesktop.packagekit.system-rollback"> + <!-- SECURITY: + - Normal users require admin authentication to rollback system state + as this will change a large number of packages, and could expose the + system to previously patched security vulnerabilities. + --> <_description>Rollback to a previous transaction</_description> <_message>Authentication is required to rollback a transaction</_message> <icon_name>package-x-generic</icon_name> @@ -102,6 +152,11 @@ </action> <action id="org.freedesktop.packagekit.system-sources-configure"> + <!-- SECURITY: + - Normal users require admin authentication to enable or disable + software sources as this can be used to enable new updates or + install different versions of software. + --> <_description>Change software source parameters</_description> <_message>Authentication is required to change software source parameters</_message> <icon_name>package-x-generic</icon_name> @@ -113,6 +168,10 @@ </action> <action id="org.freedesktop.packagekit.system-sources-refresh"> + <!-- SECURITY: + - Normal users do not require admin authentication to refresh the + cache, as this doesn't actually install or remove software. + --> <_description>Refresh system sources</_description> <_message>Authentication is required to refresh the system sources</_message> <icon_name>package-x-generic</icon_name> @@ -124,6 +183,10 @@ </action> <action id="org.freedesktop.packagekit.system-network-proxy-configure"> + <!-- SECURITY: + - Normal users do not require admin authentication to set the proxy + used for downloading packages. + --> <_description>Set network proxy</_description> <_message>Authentication is required to set the network proxy used for downloading packages</_message> <icon_name>preferences-system-network-proxy</icon_name> |