Merge pull request #75343 from worldofpeace/polkit-no-root-admin

nixos/polkit: remove root from adminIdentities
2019-12-10 20:24:23 -05:00 · 2019-12-10 20:24:23 -05:00 · 50295a1201
commit 50295a1201
parent 63f66812bd efc1c027ad
2 changed files with 12 additions and 3 deletions
--- a/nixos/doc/manual/release-notes/rl-2003.xml
+++ b/nixos/doc/manual/release-notes/rl-2003.xml
@ -225,6 +225,16 @@
     The fourStore and fourStoreEndpoint modules have been removed.
    </para>
   </listitem>
+   <listitem>
+    <para>
+     Polkit no longer has the user of uid 0 (root) as an admin identity.
+     We now follow the upstream default of only having every member of the wheel
+     group admin privileged. Before it was root and members of wheel.
+     The positive outcome of this is pkexec GUI popups or terminal prompts
+     will no longer require the user to choose between two essentially equivalent
+     choices (whether to perform the action as themselves with wheel permissions, or as the root user).
+    </para>
+   </listitem>
  </itemizedlist>
 </section>

--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@ -42,15 +42,14 @@ in

    security.polkit.adminIdentities = mkOption {
      type = types.listOf types.str;
-      default = [ "unix-user:0" "unix-group:wheel" ];
+      default = [ "unix-group:wheel" ];
      example = [ "unix-user:alice" "unix-group:admin" ];
      description =
        ''
          Specifies which users are considered “administrators”, for those
          actions that require the user to authenticate as an
          administrator (i.e. have an <literal>auth_admin</literal>
-          value).  By default, this is the <literal>root</literal>
-          user and all users in the <literal>wheel</literal> group.
+          value).  By default, this is all users in the <literal>wheel</literal> group.
        '';
    };