Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update polkit rules to allow sudo users to change wifi config #196

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update polkit rules to allow sudo users to change wifi config #196

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion ubo_app/system/bootstrap.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ def configure_fan() -> None:

def setup_polkit() -> None:
"""Create the polkit rules file."""
with Path('/etc/polkit-1/rules.d/50-ubo.rules').open('w') as file:
with Path('/etc/polkit-1/rules.d/10-ubo.rules').open('w') as file:
file.write(
Path(__file__)
.parent.joinpath('polkit.rules')
Expand Down
25 changes: 17 additions & 8 deletions ubo_app/system/polkit.rules
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,19 @@
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.login1.reboot" ||
action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
action.id == "org.freedesktop.login1.power-off" ||
action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
action.id.startsWith("org.freedesktop.NetworkManager.")) &&
subject.user == "{{USERNAME}}") {
return polkit.Result.YES;
if (subject.user == "{{USERNAME}}") {
// Special handling for settings.modify.system when user is in sudo group
if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
subject.isInGroup("sudo")) {
// Ensure we explicitly grant this permission regardless of local/active status
return polkit.Result.YES;
}
// All other NetworkManager and login1 actions
if (action.id == "org.freedesktop.login1.reboot" ||
action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
action.id == "org.freedesktop.login1.power-off" ||
action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
action.id.indexOf("org.freedesktop.NetworkManager.") == 0) {
return polkit.Result.YES;
}
}
});
return polkit.Result.NOT_HANDLED;
});
10 changes: 10 additions & 0 deletions ubo_app/system/system_manager/scripts/set_account.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,16 @@ fi
echo "${USERNAME}:${PASSWORD}" | chpasswd
printf "${USERNAME}:${PASSWORD}"

# TODO: Create a seperate script to adding user to sudo group
# and allowing passwordless sudo. Call this script with explict user action
# exposed via the UI.

# Add the user to the sudo group
usermod -aG sudo $USERNAME
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This script runs for all users, not necessarily the ubo user, when they are created or when their password is being reset in the users menu.
Is this intended?


# Allow the user to run sudo without a password
echo "${USERNAME} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/${USERNAME}

# Allow password authentication
sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config
systemctl restart ssh
Loading