Privileges

This page is a work in progress.

Matrix

Privilege

Enforced with

Default rights

Access external storage devices

File permissions

Desktop User, Administrator account types

Access internal storage devices

File permissions

Administrator account type

Administer the system

File permissions

Administrator account type (w/password)

Use sudo to administer the system

File permissions

Administrator account type (w/password)

Configure printers

File permissions

Administrator account type

Connect to the Internet using a modem

File permissions

Administrator account type

Connect to wireless and ethernet networks

File permissions

Monitor system logs

File permissions

Desktop User, Administrator account types

Mount user-space filesystems (FUSE)

File permissions

Desktop User, Administrator account types

Send and receive faxes

File permissions

Desktop User, Administrator account types

Share files with the local network

File permissions

Administrator account type

Use audio devices

File permissions

Use CD-ROM drives

File permissions

Desktop User, Administrator account types

Use floppy drives

File permissions

Desktop User, Administrator account types

Use modems

File permissions

Desktop User, Administrator account types

Use tape drives

File permissions

Desktop User, Administrator account types

Use video devices

File permissions

Desktop User, Administrator account types

Use Bluetooth devices

D-Bus permissions

Users at the console

Use libvirt virtualization solution

File permissions

Administrator account type

Use VirtualBox virtualization solution

File permissions

Use Checkbox

D-Bus permissions

Users at the console

Communicate with HAL (deprecated?)

D-Bus permissions

Users at the console

Use Network Manager

D-Bus permissions

Users at the console

Check for new printers

D-Bus permissions

Users at the console

Install new software

GKSu authentication

Administrator account type (w/password)

Install security updates

GKSu authentication

Administrator account type (w/password)

Install software updates

GKSu authentication

Administrator account type (w/password)

Change CPU frequency scaling

PolicyKit

Administrator account type

Change the system clock

PolicyKit

Administrator account type

Install a plug-in into a HP printer

PolicyKit

Administrator account type

Get information about local device drivers

PolicyKit

Any user

Check for newly available drivers for, and used drivers on this system

PolicyKit

Any user

Query local and remote driver databases for updated drivers for the system

PolicyKit

Any user

Install or remove device drivers

PolicyKit

Administrator account type (w/password)

Get current global proxy

PolicyKit

Any user

Set current global proxy

PolicyKit

Administrator account type (w/password)

Set current global proxy exception

PolicyKit

Administrator account type (w/password)

Set current global keyboard

PolicyKit

Administrator account type (w/password)

Get current global keyboard

PolicyKit

Any user

Check if the package system is locked

PolicyKit

Any user

Install the bootloader

PolicyKit

Any user (w/password)

Format the device

PolicyKit

Any user (w/password)

Image the device

PolicyKit

Any user (w/password)

Mount a device

PolicyKit

Any user (w/password)

  1. In a default Desktop installation, the first user on the system is considered an administrator, and as of Ubuntu 10.04 LTS is a member of the following groups: adm, dialout, cdrom, plugdev, lpadmin, admin, sambashare

Access external storage devices

This right is gained by adding the user to the "plugdev" group.

Users in the "plugdev" group can send commands to HAL (this is probably deprecated). (Ref.: /etc/dbus-1/system.d/hal.conf)

TODO: See what else "plugdev" can do, and how it restricts access to the storage devices.

Access internal storage devices

This right is gained by adding the user to the "admin" group.

Users in the "admin" group can access internal storage devices. (Ref.: /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla)

Administer the system

This right is gained by adding the user to the "admin" group.

Users in the "admin" group can use sudo to gain administrative privileges after supplying their password. (Ref.: /etc/sudoers)

The "admin" group is configured to be the PolicyKit "administrator authentication" group. (Ref.: /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf)

Use sudo to administer the system

This right is gained by adding the user to the "admin" group.

Users in the "admin" group can use sudo to gain administrative privileges after supplying their password. (Ref.: /etc/sudoers)

Beginning with Ubuntu 10.04 LTS, this right can also be granted by adding the user to the "sudo" group for compatibility reasons with Debian.

Configure printers

This right is gained by adding the user to the "lpadmin" group.

Cups contains a setting called "SystemGroup" in the /etc/cusp/cupsd.conf that specifies who is allowed to manage printers. By default, it is set to "lpadmin".

Connect to the Internet using a modem

This right is gained by adding the user to the "dip" group.

The "dip" group can launch pppd and access ppp configuration files in /etc.

Connect to wireless and ethernet networks

This right is gained by adding the user to the "netdev" group.

On Debian, the "netdev" group gains access to using Network Manager. On Ubuntu, Network Manager access rights are gained by being at the system console, so the name of this entry in gnome-system-tools is misleading.

The "netdev" group can administer wicd and wpasupplicant.

The "netdev" group can set the avahi host name using DBus.

The "netdev" group can administer Bluetooth devices.

Monitor system logs

This right is gained by adding the user to the "adm" group.

The "adm" group has access to most of the log files in /var/log, although a lot of them are readable by everyone.

Mount user-space filesystems (FUSE)

This right is gained by adding the user to the "fuse" group.

The "fuse" group can access the /dev/fuse device, but so can everyone else.

The "fuse" group can read the /etc/fuse.conf file.

TODO: See how the "fuse" group gains access to mount FUSE filesystems. (Is this enforced?)

Send and receive faxes

This right is gained by adding the user to the "fax" group.

Share files with the local network

This right is gained by adding the user to the "sambashare" group.

The "sambashare" group can access the /var/lib/samba/usershares directory.

Use audio devices

This right is gained by adding the user to the "audio" group.

TODO: The "audio" group owns some of the audio devices in /dev, but it's unclear what rights this gains.

Use CD-ROM drives

This right is gained by adding the user to the "cdrom" group.

The "cdrom" group owns the CD-ROM devices in /dev.

TODO: It appears the devices also have extended attributes. Investigate.

Use floppy drives

This right is gained by adding the user to the "floppy" group.

Use modems

This right is gained by adding the user to the "dialout" group.

The "dialout" group owns the /dev/ttyS* devices and can read the /etc/wvdial.conf file.

Use tape drives

This right is gained by adding the user to the "tape" group.

Use video devices

This right is gained by adding the user to the "video" group.

The "video" group can access /dev/fb0.

Use Bluetooth devices

All users at the console can talk to Bluetooth devices using DBus. (Ref.: /etc/dbus-1/system.d/bluetooth.conf)

Use libvirt virtualization solution

All users can connect to the unprivileged libvirt session. Allowing connections to the privileged libvirt system is gained by adding the user to the "libvirtd" group. Users in the "admin" group are automatically added to this group on package installation.

Use VirtualBox virtualization solution

This right is gained by adding the user to the "vboxusers" group.

Use Checkbox

All users at the console can talk to the Checkbox backend using DBus. (Ref.: /etc/dbus-1/system.d/com.ubuntu.checkbox.conf)

Communicate with HAL (deprecated?)

All users at the console can communicate with the HAL daemon using DBus. Is this deprecated? (Ref.: /etc/dbus-1/system.d/hal.conf)

Use Network Manager

All users at the console can manage Ethernet, wireless and 3G networks using Network Manager via DBus. (Ref.: /etc/dbus-1/system.d/NetworkManager.conf, /etc/dbus-1/system.d/nm-applet.conf)

Check for new printers

All users at the console can check for new printers by communicating with hplip using DBus. (Ref.: /etc/dbus-1/system.d/newprinternotification.conf)

Install new software

This right is gained by adding the user to the "admin" group.

The user must type in his password before installing new software.

TODO: detail how software installing works for the different front-ends.

Install security updates

This right is gained by adding the user to the "admin" group.

The user must type in his password before installing security updates.

TODO: detail how security update installation works for the different front-ends.

Install software updates

This right is gained by adding the user to the "admin" group.

The user must type in his password before installing software updates.

TODO: detail how software update installing works for the different front-ends.

Change CPU frequency scaling

This right is gained by adding the user to the "admin" group. (Ref.: /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla)

Change the system clock

This right is gained by adding the user to the "admin" group. (Ref.: /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla)

Install a plug-in into a HP printer

This right is gained by adding the user to the "admin" group. (Ref.: /usr/share/polkit-1/actions/com.hp.hplip.policy)

Get information about local device drivers

This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.devicedriver.policy)

Check for newly available drivers for, and used drivers on this system

This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.devicedriver.policy)

Query local and remote driver databases for updated drivers for the system

This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.devicedriver.policy)

Install or remove device drivers

This right is gained by adding the user to the "admin" group. The user must type in his password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.devicedriver.policy)

Get current global proxy

This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy)

Set current global proxy

This right is gained by adding the user to the "admin" group. The user must type in his password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy)

Set current global proxy exception

This right is gained by adding the user to the "admin" group. The user must type in his password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy)

Set current global keyboard

This right is gained by adding the user to the "admin" group. The user must type in his password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy)

Get current global keyboard

This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy)

Check if the package system is locked

This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy)

Install the bootloader

This right is allowed by default to all users after typing in their password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.usbcreator.policy)

Format the device

This right is allowed by default to all users after typing in their password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.usbcreator.policy)

Image the device

This right is allowed by default to all users after typing in their password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.usbcreator.policy)

Mount a device

This right is allowed by default to all users after typing in their password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.usbcreator.policy)

Security/Privileges (last edited 2010-05-05 13:56:34 by mdeslaur)