The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.
For details on how to fill out this form, see the documentation.
To report an issue with this template, file an issue in the pgm_docs repo.
Finegrained disk management
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
This proposal adds a new dedicated diskadmin group, allowing users to manage external drives without needing to be in the wheel group.
It will also enable wheel users to unlock and mount external drives without a password prompt.
Owner
- Name: Henning
- Email: boredsquirrel@secure.mailbox.org
Current status
- Targeted release: Fedora Linux 41
- Last updated: 2024-06-30
- [Announced]
- [<will be assigned by the Wrangler> Discussion thread]
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Currently, to mount or (LUKS) unlock external drives, users need to be in the wheel group. Removing a user from the wheel group would prevent them from using external drives.
This enables an "admin" permission that is not tied to full root access on the host system.
It will be a change of the polkit rule org.freedesktop.udisks2.rules like following:
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.udisks2.encrypted-unlock-system" ||
action.id == "org.freedesktop.udisks2.filesystem-mount-system") &&
subject.active == true && subject.local == true && (
subject.isInGroup("diskadmin") || subject.isInGroup("wheel"))) {
return polkit.Result.YES;
}
});
Feedback
none yet
Benefit to Fedora
This is a step towards the Confined Users goal. It enables a dedicated action, the mounting and unlocking of external drives, without needing all the other privileges that wheel users have.
Scope
- Proposal owners: changing a single rule, testing with nonwheel users in the
diskadmingroup on GNOME and KDE
- Other developers: N/A
- Release engineering: #Releng issue number
- Policies and guidelines: Documentation needs to get an additional chapter on disk management with the
diskadmingroup.
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy: Not sure, as it adds a nonstandard user group.
Upgrade/compatibility impact
The polkit rule will be added, users will not need to enter a password if they are in these groups. No changes for users outside these groups.
How To Test
On Atomic or traditional Fedora, place the above rule in /etc/polkit-1/rules.d/80-org.freedesktop.udisks2.rules.
This will be preferred over the default rule and you can test if it works.
User Experience
By default, Anaconda puts users into the wheel group. These users will not need to enter a password when mounting external media or unlocking them.
It also allows to do these actions without being in the wheel group, by adding a user to the diskadmin group.
Dependencies
None
Contingency Plan
- Contingency mechanism: this is a simple fix, not adding it will keep the previous wheel need
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
Will be added afterwards.
Nonwheel users can be added to the diskadmin group:
sudo groupadd diskadmin sudo usermod -aG diskadmin USERNAME
Release Notes
Users in the 'wheel' or 'diskadmin' group can mount and unlock external drives without a password.