Initial draft of privilege escalation policy

Matthias Clasen mclasen at
Wed Jan 20 18:20:27 UTC 2010

On Wed, 2010-01-20 at 10:06 -0800, Adam Williamson wrote:

> It's just not been implemented yet. PolicyKit certainly allows for this
> level of flexibility, though, and the desktop team plan to use it, as
> Matthias says. An 'administrators' group will be defined which can do
> quite a lot of the things that are restricted by this policy, and you'll
> be able to add user accounts to it. Those users will be able to perform
> those actions either with no additional authorization or by
> authenticating as themselves (rather than root). This isn't at all
> implemented yet, though, even in Rawhide.

It is largely implemented, actually, even in F12. To see it in action,
install polkit-desktop-policy, which adds two Unix groups and associates
policykit policies with it. Then join one of the groups to make the
policies apply to yourself. The group names are desktop_admin_r and

The one reason why we've held off on pushing this further is that we are
lacking the user account tool that lets use nicely manage these
groups/profiles. For that, see

More information about the test mailing list