Add some rationalle to the chosen PolicyKit policy decisions

author: Richard Hughes <richard@hughsie.com> 2009-07-15 10:22:02 +0100
committer: Richard Hughes <richard@hughsie.com> 2009-07-15 10:22:02 +0100
commit: a2610210a1dd0a207b8090cc5ceea93ac50c4d85 (patch)
tree: 66db4e1e2d76e0d71c71a6c6f5d7b3e9310c85a8 /policy
parent: 3999deb4a72798f4feba10046e0197d0492b615a (diff)
1 files changed, 63 insertions, 0 deletions
diff --git a/policy/org.freedesktop.packagekit.policy.in b/policy/org.freedesktop.packagekit.policy.in
index c683de73c..e7d000b47 100644
--- a/policy/org.freedesktop.packagekit.policy.in
+++ b/policy/org.freedesktop.packagekit.policy.in
@@ -14,6 +14,11 @@
   <icon_name>package-x-generic</icon_name>
 
   <action id="org.freedesktop.packagekit.cancel-foreign">
+    <!-- SECURITY:
+          - Normal users are allowed to cancel their own task without
+            authentication, but a different user id needs the admin password
+            to cancel another users task.
+     -->
     <_description>Cancel foreign task</_description>
     <_message>Authentication is required to cancel a task that was not started by yourself</_message>
     <icon_name>package-x-generic</icon_name>
@@ -25,6 +30,12 @@
   </action>
 
   <action id="org.freedesktop.packagekit.package-install">
+    <!-- SECURITY:
+          - Normal users do not need authentication to install signed packages
+            from signed repositories, as this cannot exploit a system.
+          - Paranoid users (or parents!) can change this to 'auth_admin' or
+            'auth_admin_keep'.
+     -->
     <_description>Install signed package</_description>
     <_message>Authentication is required to install a signed package</_message>
     <icon_name>package-x-generic</icon_name>
@@ -36,6 +47,12 @@
   </action>
 
   <action id="org.freedesktop.packagekit.package-install-untrusted">
+    <!-- SECURITY:
+          - Normal users require admin authentication to install untrusted or
+            unrecognised packages, as allowing users to do this without a
+            password would be a massive security hole.
+          - This is not retained as each package should be authenticated.
+     -->
     <_description>Install untrusted local file</_description>
     <_message>Authentication is required to install an untrusted package</_message>
     <icon_name>package-x-generic</icon_name>
@@ -47,6 +64,12 @@
   </action>
 
   <action id="org.freedesktop.packagekit.system-trust-signing-key">
+    <!-- SECURITY:
+          - Normal users require admin authentication to add signing keys.
+          - This implies adding an explicit trust, and should not be granted
+            without a secure authentication.
+          - This is not kept as each package should be authenticated.
+     -->
     <_description>Trust a key used for signing packages</_description>
     <_message>Authentication is required to consider a key used for signing packages as trusted</_message>
     <icon_name>package-x-generic</icon_name>
@@ -58,6 +81,12 @@
   </action>
 
   <action id="org.freedesktop.packagekit.package-eula-accept">
+    <!-- SECURITY:
+          - Normal users do not require admin authentication to accept new
+            licence agreements.
+          - Change this to 'auth_admin' for environments where users should not
+            be given the option to make legal decisions.
+     -->
     <_description>Accept EULA</_description>
     <_message>Authentication is required to accept a EULA</_message>
     <icon_name>package-x-generic</icon_name>
@@ -69,6 +98,15 @@
   </action>
 
   <action id="org.freedesktop.packagekit.package-remove">
+    <!-- SECURITY:
+          - Normal users require admin authentication to remove packages as
+            this can make the system unbootable or stop other applications from
+            working.
+          - Be sure to close the tool used to remove the packages after the
+            admin authentication has been obtained, otherwise packages can still
+            be removed. If this is not possible, change this authentication to
+            'auth_admin'.
+     -->
     <_description>Remove package</_description>
     <_message>Authentication is required to remove packages</_message>
     <icon_name>package-x-generic</icon_name>
@@ -80,6 +118,13 @@
   </action>
 
   <action id="org.freedesktop.packagekit.system-update">
+    <!-- SECURITY:
+          - Normal users do not require admin authentication to update the
+            system as the packages will be signed, and the action is required
+            to update the system when unattended.
+          - Changing this to anything other than 'yes' will break unattended
+            updates.
+     -->
     <_description>Update packages</_description>
     <_message>Authentication is required to update packages</_message>
     <icon_name>package-x-generic</icon_name>
@@ -91,6 +136,11 @@
   </action>
 
   <action id="org.freedesktop.packagekit.system-rollback">
+    <!-- SECURITY:
+          - Normal users require admin authentication to rollback system state
+            as this will change a large number of packages, and could expose the
+            system to previously patched security vulnerabilities.
+     -->
     <_description>Rollback to a previous transaction</_description>
     <_message>Authentication is required to rollback a transaction</_message>
     <icon_name>package-x-generic</icon_name>
@@ -102,6 +152,11 @@
   </action>
 
   <action id="org.freedesktop.packagekit.system-sources-configure">
+    <!-- SECURITY:
+          - Normal users require admin authentication to enable or disable
+            software sources as this can be used to enable new updates or
+            install different versions of software.
+     -->
     <_description>Change software source parameters</_description>
     <_message>Authentication is required to change software source parameters</_message>
     <icon_name>package-x-generic</icon_name>
@@ -113,6 +168,10 @@
   </action>
 
   <action id="org.freedesktop.packagekit.system-sources-refresh">
+    <!-- SECURITY:
+          - Normal users do not require admin authentication to refresh the
+            cache, as this doesn't actually install or remove software.
+     -->
     <_description>Refresh system sources</_description>
     <_message>Authentication is required to refresh the system sources</_message>
     <icon_name>package-x-generic</icon_name>
@@ -124,6 +183,10 @@
   </action>
 
   <action id="org.freedesktop.packagekit.system-network-proxy-configure">
+    <!-- SECURITY:
+          - Normal users do not require admin authentication to set the proxy
+            used for downloading packages.
+     -->
     <_description>Set network proxy</_description>
     <_message>Authentication is required to set the network proxy used for downloading packages</_message>
     <icon_name>preferences-system-network-proxy</icon_name>
author	Richard Hughes <richard@hughsie.com>	2009-07-15 10:22:02 +0100
committer	Richard Hughes <richard@hughsie.com>	2009-07-15 10:22:02 +0100
commit	a2610210a1dd0a207b8090cc5ceea93ac50c4d85 (patch)
tree	66db4e1e2d76e0d71c71a6c6f5d7b3e9310c85a8 /policy
parent	3999deb4a72798f4feba10046e0197d0492b615a (diff)