Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#79231 - [firewalld] Consider adding polkit rule to allow admins to change settings without authenticating

Attached to Project: Arch Linux
Opened by CYQ (cyq) - Friday, 28 July 2023, 09:53 GMT
Last edited by Maxime Gauduin (Alucryd) - Friday, 28 July 2023, 14:13 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Maxime Gauduin (Alucryd)
Robin Candau (Antiz)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

In Fedora's `firewalld` package, they've included an additional polkit rule which allows all users in the `wheel` group to change firewalld settings without authenticating with password. This file is installed under `/usr/share/polkit-1/rules.d`. See https://src.fedoraproject.org/rpms/firewalld/blob/rawhide/f/org.fedoraproject.FirewallD1.desktop.rules.choice

I feel like this is reasonable rule to include, and it does indeed improve the user experience (especially when using firewalld's GUI). However, I'm also aware of https://dont-ship.it/, which is mostly addressing WIP patches but applies to this somewhat as well. So instead of jumping the gun and claiming that Arch should definitely do what Fedora does, I would like to hear about maintainers' opinion on this first. Do you think it's a good idea to include such a rule?
This task depends upon

Closed by  Maxime Gauduin (Alucryd)
Friday, 28 July 2023, 14:13 GMT
Reason for closing:  Won't implement
Comment by Robin Candau (Antiz) - Friday, 28 July 2023, 11:11 GMT
Regardless of the https://dont-ship.it/ part, creating/modifying/removing firewall rules is (or at least can be) an impactful action that should be done with care. Verifying that users doing this action haven't been impersonated and are aware of what they're doing by asking their password feels like a sane default behavior to me.

Regarding the "user experience" part, `sudo/doas` will only ask for your password once for the first command and won't ask it again until a certain period of inactivity (when using the CLI); and I assume polkit only asks for your password once when opening the GUI, right? (I don't use the GUI myself to be honest). It feels like a big change regarding security for such a little user experience improvement to me.

If anything, I think such `sudo/doas/polkit` permissive rules should be explicitly done by users themself if desired/needed in my opinion.

I'd personally vote "no" to introduce this polkit rule by default, but I'll let Alucryd give their thoughts as well :)
Comment by Maxime Gauduin (Alucryd) - Friday, 28 July 2023, 14:12 GMT
We are neither Fedora nor Ubuntu, we stick to upstream for the most part, we don't even start/enable services because we expect users to handle these things. Introducing a security issue for a little added convenience is a step above that and I won't do it. This should at best be mentioned on the wiki, so users who understand the associated risks can add the rule themselves in /etc/polkit-1/rules.d/.

Loading...