nixos/cupsd: passwordless admin for wheel with polkit #68218
Conversation
There was a problem hiding this comment.
Looks alright, definitely annoying to do this everytime!
I think almost everyone wants this on, but there may be some cases where you don't. Maybe we need a polkit.passwordlessWheel option or something similar. I bet there are more polkit rules out there for other things as well. Might want to scrape them from some other distro to get more comprehensive
Anyway, this one looks good for now!
Glad we share this 😄 I think it would be in line with the nixos style things for there to be an option for this. Will add.
I did some scraping in vms (opensuse, ubuntu, fedora.) and package sources. I was mostly trying to figure what ubuntu has done to get this because they're most known for it. Couldn't figure it out though, it seems they have separate users for cups with the help of some patches. |
|
Ooh, found the whole rules ubuntu uses
(has a hard time controlling self now 🤣 ) |
| security.polkit.extraConfig = mkIf polkitEnabled '' | ||
| polkit.addRule(function(action, subject) { | ||
| if (action.id == "org.opensuse.cupspkhelper.mechanism.all-edit" && | ||
| subject.isInGroup("wheel")){ |
There was a problem hiding this comment.
Ubuntu's rule uses a special lpadmin group which actually would help the fact that wheel could actually not be an admin identity.
Identity=unix-group:lpadmin;unix-group:admin;unix-group:sudo
Motivation for this change
cc @matthewbauer
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)Notify maintainers
cc @