Torvalds:requiring root password for mundane things is moronic

David Zeuthen davidz at
Sat Mar 3 19:07:19 UTC 2012


----- Original Message -----
> On Fri, 2012-03-02 at 08:42 -0600, Greg Swift wrote:
> > I experience a similar scenario.  On my home system (f16) I have my
> > wife and both in the wheel group.  Every time I go to run
> > virt-manager
> > I get prompted for her password.  I do believe she is first in the
> > wheel group after root in /etc/group.  However this doesn't make
> > any
> > sense to me.  It makes more sense for users that need that level of
> > access to all know the root password rather than the users to know
> > another user's password.  Even then, if I am in the same group,
> > doesn't it make more since to either prompt for my own password or
> > just allow me?  We know each others password so i've always
> > shrugged
> > it off cause I'm looking at other issues the few times when I am
> > playing with the virtuals at home but since someone brought it
> > up...
> This sounds pretty straightforwardly like a bug probably in
> PolicyKit,
> to me. It's obviously more correct to use the current user's
> authorization if it's sufficient than just to go with the first user
> in
> the admin group in all cases...
> So, file a bug against PolicyKit.

(Ugh, no, please don't tell people to file bugs against polkit
unless you are actually sure it's a polkit problem. In this case
it's not.)

If your complaint is that you can't select what user in the 'wheel'
group to authenticate as when prompted for admin auth, it's a problem
with your authentication agent. With GNOME Shell, the decision was
to never show a dropdown menu (a decision I largely agree with), see

for details. If the problem is that both users are in wheel but you
are asked to authenticate as the user who is not logged in, well,
that's solved in a gnome-shell update, see

and check if that patch is included in whatever version you are using.

If your complaint is that you don't get asked for the root password
but instead of users in the wheel group, then your problem is that
you didn't read the documentation of polkit. Specifically see the
ADMINISTRATOR AUTHENTICATION section of the pklocalauthority(8) man
page, here's a copy

Specifically, you can do this

 # echo -e "[Configuration]\nAdminIdentities=unix-user:0\n" > /etc/polkit-1/localauthority.conf.d/51-force-root-for-admin-auth.conf

to always require the root password when admin auth is needed instead
of using the 'wheel' group (hell, you can even ship this in an RPM
without running into the usual configuration-file conflict crapo).
It's really that simple.

Hope this helps.


More information about the devel mailing list