Is there any documentation on the scope of Polkit implicit priveleges?

If the title isn’t clear, I’m referring to the entries in /etc/polkit-default-privs.*

Background: I just made some changes to make my laptop a bit more convenient to use, which it now is. It is now, however, probably less secure than it could be for the convenience I want. This is because there were often several entries that looked like they might be the one I wanted in order to achieve a particular goal, and no info to lead me to the right one, so I just ‘yessed’ them all (it’s my personal laptop, I’d never do that to a machine than contained anything sensitive). For example:

[FONT=arial]I have a usb enclosure containing 2 2TB ssd’s configured as a a number of Logical Volumes in Logical Volume Group (it seemed like a good idea at the time). Polkit wants root auth to mount them: I’d rather it didn’t. Which of the following entries in [/FONT][FONT=arial]polkit-default-privs.* [/FONT]is the one I need to copy into [FONT=arial]polkit-default-privs.local [/FONT]and change?

org.freedesktop.udisks.filesystem-mount
org.freedesktop.udisks.filesystem-mount-system-internal
org.freedesktop.udisks2.filesystem-mount-system
org.freedesktop.udisks2.filesystem-mount
org.freedesktop.udisks2.filesystem-mount-other-seat

Is there any documentation to tell me what each does, and more importantly doesn’t, do?

And don’t get me started on the the NetworkManager ones (or the ‘network-manager’ ones). Good grief… :?

(is this the right forum for this?)

This might be useful to you
http://storaged.org/doc/udisks2-api/latest/udisks-polkit-actions.html
https://doc.opensuse.org/documentation/leap/security/html/book.security/cha-security-policykit.html#sec-security-policykit-policies-implicit

Only the udisks2 policies are relevant (as the former udisks implementation has been deprecated for a long time now). For external (USB) storage devices, the pertinent policy is ‘org.freedesktop.udisks2.filesystem-mount’.

OK, thanks.
Pity there’s nothing central covering at least what openSuse puts in by default. What’s in the polkit-default-privs files are simply mnemonics for those intimately familiar with the feature in question. Even though the second link you gave me is excellent for understanding how to make changes, there’s no guidance at all as to what to change, which is disappointing for those of us who choose a free OS so we can truly own our own systems. No criticism of openSuse there, no other project has proper documentation on this either, but the effect of this is that an innovation intended to give a more fine-grained and nuanced privilege control than sudo ends up giving me less control of my system than I used to have after looking at the manpage for the sudoers file.:frowning:

The reality is that polkit is used by a number of sub-systems, so quite complex in terms of policies. However, openSUSE does ship with some default settings (/etc/polkit-default-privs.* where *=easy, standard, or restrictive) that can be invoked by the administrator via YaST > Security and users > Security Center and Hardening.

Thanks, I hadn’t really explored the Yast Module, which means that I’m probably going to play with it until something breaks :slight_smile: