How to prevent by default any non-wheel (standard) users from use polkit?
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 2 of 2
  1. #1
    Join Date
    Aug 2016
    Location
    Iraq
    Posts
    1,106
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How to prevent by default any non-wheel (standard) users from use polkit?

    Hi.

    I like to hardened security of my system (Fedora Linux).
    I want to make any new user account created will be by default has no any admin power at all. I mean by that has no su/sudo/polkit powers & unable to use any of them.

    Regarding sudo we have no problem in Fedora because it is always configured in such a way that any newly created user account will not be by default in wheel group

    Regarding su, we can manage it as easy as such:
    Code:
    sudo vi /etc/pam.d/su
    then uncomment the following line:
    Code:
    #auth required pam_wheel.so use_uid
    to be:
    Code:
    auth required pam_wheel.so use_uid
    then save & exit & finally reboot

    The problem is with polkit, because by default any new user account created on Fedora will be able to use, for example GNOME center, to install new software even if it has neither sudo nor su access … This is great problem …

    I need to now how can I make Fedora to prevent by default any newly created user account from being able to use polkit (& subsequently block any backend like PackageKit or frontend like GNOME software that depend on it from use it) at all.

    I'm currently using non-elegant workaround & searching for elegant solution. I discovered the following file:

    /etc/pam.d/polkit-1

    it is similar to the /etc/pam.d/su that used to configure su & block it from used by any non-wheel user from using it at all.

    So, could /etc/pam.d/polkit-1 used in similar way to block any non-wheel user from using polkit at all ? If yes, then what I should added to this file ?
    The default output of vi /etc/pam.d/polkit-1 is as following:

    Code:
    #%PAM-1.0
    
    auth       include      system-auth
    account    include      system-auth
    password   include      system-auth
    session    include      system-auth

    Any help please ?

    I feel that I'm in near from solution, but googling issue do not help me further !
    Last edited by User808; 9th July 2019 at 11:26 AM.
    Fedora 30 X64 bit Cinnamon edition on Lenovo ThinkPad e550 with Intel core i7 5500 CPU @ 2.40 GH X 2, RAM = 8 GB, HHD = 1 TB, Hybrid VGA (Intel Corporation HD Graphic 5500 + Radeon R7 M265 2GB)

  2. #2
    Join Date
    Aug 2016
    Location
    Iraq
    Posts
    1,106
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: How to prevent by default any non-wheel (standard) users from use polkit?

    Hi again. I found this link on Internet talking about same issue:

    https://bbs.archlinux.org/viewtopic.php?id=246975

    User share same security concern about polkit & made to solve it by adding the following line: auth required pam_wheel.so use_uid to etc/pam.d/polkit-1 to be as following:

    Code:
    #%PAM-1.0
    
    auth       required     pam_wheel.so use_uid
    auth       include      system-auth
    account    include      system-auth
    password   include      system-auth
    session    include      system-auth
    Also, he talk about overriding this add when updated pam package & asking if it is normal or a bug ......

    Any one can confirm this method, please ?

    ---------------
    Note: I noticed that "etc/pam.d/su-l" on Fedora different from that on Archlinux ! In Fedora there is no "auth required pam_wheel.so use_uid" at all ! And here I would asking how Fedora then configure sudo to be available only for wheel group ??
    "etc/pam.d/su" & "etc/pam.d/polkit-1" both are same on both Fedora & Archlinux, but "etc/pam.d/su-l" are differ ! Moreover I examine "etc/pam.d/sudo" on Fedora & it is:

    Code:
    #%PAM-1.0
    auth       include      system-auth
    account    include      system-auth
    password   include      system-auth
    session    optional     pam_keyinit.so revoke
    session    required     pam_limits.so
    session    include      system-auth
    Last edited by User808; 9th July 2019 at 06:47 PM.
    Fedora 30 X64 bit Cinnamon edition on Lenovo ThinkPad e550 with Intel core i7 5500 CPU @ 2.40 GH X 2, RAM = 8 GB, HHD = 1 TB, Hybrid VGA (Intel Corporation HD Graphic 5500 + Radeon R7 M265 2GB)

Similar Threads

  1. Mutliple wheel users and pkexec authentication
    By upnort in forum Security and Privacy
    Replies: 1
    Last Post: 26th December 2014, 11:11 PM
  2. Prevent users from rebooting computer
    By ACiD GRiM in forum Using Fedora
    Replies: 3
    Last Post: 9th August 2009, 09:22 PM
  3. How can I prevent some users from telnet to my machine
    By youhaodeyi in forum Security and Privacy
    Replies: 5
    Last Post: 27th July 2007, 07:40 AM
  4. Prevent users using GNOME
    By masterlodi in forum Using Fedora
    Replies: 3
    Last Post: 10th June 2005, 12:37 PM
  5. Prevent users printing to certain printers
    By masterlodi in forum Using Fedora
    Replies: 1
    Last Post: 2nd June 2005, 04:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •