Privileges
This page is a work in progress.
Contents
- Matrix
- Access external storage devices
- Access internal storage devices
- Administer the system
- Use sudo to administer the system
- Configure printers
- Connect to the Internet using a modem
- Connect to wireless and ethernet networks
- Monitor system logs
- Mount user-space filesystems (FUSE)
- Send and receive faxes
- Share files with the local network
- Use audio devices
- Use CD-ROM drives
- Use floppy drives
- Use modems
- Use tape drives
- Use video devices
- Use Bluetooth devices
- Use libvirt virtualization solution
- Use VirtualBox virtualization solution
- Use Checkbox
- Communicate with HAL (deprecated?)
- Use Network Manager
- Check for new printers
- Install new software
- Install security updates
- Install software updates
- Change CPU frequency scaling
- Change the system clock
- Install a plug-in into a HP printer
- Get information about local device drivers
- Check for newly available drivers for, and used drivers on this system
- Query local and remote driver databases for updated drivers for the system
- Install or remove device drivers
- Get current global proxy
- Set current global proxy
- Set current global proxy exception
- Set current global keyboard
- Get current global keyboard
- Check if the package system is locked
- Install the bootloader
- Format the device
- Image the device
- Mount a device
Matrix
Privilege |
Enforced with |
Default rights |
Access external storage devices |
File permissions |
Desktop User, Administrator account types |
Access internal storage devices |
File permissions |
Administrator account type |
Administer the system |
File permissions |
Administrator account type (w/password) |
Use sudo to administer the system |
File permissions |
Administrator account type (w/password) |
Configure printers |
File permissions |
Administrator account type |
Connect to the Internet using a modem |
File permissions |
Administrator account type |
Connect to wireless and ethernet networks |
File permissions |
|
Monitor system logs |
File permissions |
Desktop User, Administrator account types |
Mount user-space filesystems (FUSE) |
File permissions |
Desktop User, Administrator account types |
Send and receive faxes |
File permissions |
Desktop User, Administrator account types |
Share files with the local network |
File permissions |
Administrator account type |
Use audio devices |
File permissions |
|
Use CD-ROM drives |
File permissions |
Desktop User, Administrator account types |
Use floppy drives |
File permissions |
Desktop User, Administrator account types |
Use modems |
File permissions |
Desktop User, Administrator account types |
Use tape drives |
File permissions |
Desktop User, Administrator account types |
Use video devices |
File permissions |
Desktop User, Administrator account types |
Use Bluetooth devices |
D-Bus permissions |
Users at the console |
Use libvirt virtualization solution |
File permissions |
Administrator account type |
Use VirtualBox virtualization solution |
File permissions |
|
Use Checkbox |
D-Bus permissions |
Users at the console |
Communicate with HAL (deprecated?) |
D-Bus permissions |
Users at the console |
Use Network Manager |
D-Bus permissions |
Users at the console |
Check for new printers |
D-Bus permissions |
Users at the console |
Install new software |
GKSu authentication |
Administrator account type (w/password) |
Install security updates |
GKSu authentication |
Administrator account type (w/password) |
Install software updates |
GKSu authentication |
Administrator account type (w/password) |
Change CPU frequency scaling |
Administrator account type |
|
Change the system clock |
Administrator account type |
|
Install a plug-in into a HP printer |
Administrator account type |
|
Get information about local device drivers |
Any user |
|
Check for newly available drivers for, and used drivers on this system |
Any user |
|
Query local and remote driver databases for updated drivers for the system |
Any user |
|
Install or remove device drivers |
Administrator account type (w/password) |
|
Get current global proxy |
Any user |
|
Set current global proxy |
Administrator account type (w/password) |
|
Set current global proxy exception |
Administrator account type (w/password) |
|
Set current global keyboard |
Administrator account type (w/password) |
|
Get current global keyboard |
Any user |
|
Check if the package system is locked |
Any user |
|
Install the bootloader |
Any user (w/password) |
|
Format the device |
Any user (w/password) |
|
Image the device |
Any user (w/password) |
|
Mount a device |
Any user (w/password) |
In a default Desktop installation, the first user on the system is considered an administrator, and as of Ubuntu 10.04 LTS is a member of the following groups: adm, dialout, cdrom, plugdev, lpadmin, admin, sambashare
Access external storage devices
This right is gained by adding the user to the "plugdev" group.
Users in the "plugdev" group can send commands to HAL (this is probably deprecated). (Ref.: /etc/dbus-1/system.d/hal.conf)
TODO: See what else "plugdev" can do, and how it restricts access to the storage devices.
Access internal storage devices
This right is gained by adding the user to the "admin" group.
Users in the "admin" group can access internal storage devices. (Ref.: /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla)
Administer the system
This right is gained by adding the user to the "admin" group.
Users in the "admin" group can use sudo to gain administrative privileges after supplying their password. (Ref.: /etc/sudoers)
The "admin" group is configured to be the PolicyKit "administrator authentication" group. (Ref.: /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf)
Use sudo to administer the system
This right is gained by adding the user to the "admin" group.
Users in the "admin" group can use sudo to gain administrative privileges after supplying their password. (Ref.: /etc/sudoers)
Beginning with Ubuntu 10.04 LTS, this right can also be granted by adding the user to the "sudo" group for compatibility reasons with Debian.
Configure printers
This right is gained by adding the user to the "lpadmin" group.
Cups contains a setting called "SystemGroup" in the /etc/cusp/cupsd.conf that specifies who is allowed to manage printers. By default, it is set to "lpadmin".
Connect to the Internet using a modem
This right is gained by adding the user to the "dip" group.
The "dip" group can launch pppd and access ppp configuration files in /etc.
Connect to wireless and ethernet networks
This right is gained by adding the user to the "netdev" group.
On Debian, the "netdev" group gains access to using Network Manager. On Ubuntu, Network Manager access rights are gained by being at the system console, so the name of this entry in gnome-system-tools is misleading.
The "netdev" group can administer wicd and wpasupplicant.
The "netdev" group can set the avahi host name using DBus.
The "netdev" group can administer Bluetooth devices.
Monitor system logs
This right is gained by adding the user to the "adm" group.
The "adm" group has access to most of the log files in /var/log, although a lot of them are readable by everyone.
Mount user-space filesystems (FUSE)
This right is gained by adding the user to the "fuse" group.
The "fuse" group can access the /dev/fuse device, but so can everyone else.
The "fuse" group can read the /etc/fuse.conf file.
TODO: See how the "fuse" group gains access to mount FUSE filesystems. (Is this enforced?)
Send and receive faxes
This right is gained by adding the user to the "fax" group.
Share files with the local network
This right is gained by adding the user to the "sambashare" group.
The "sambashare" group can access the /var/lib/samba/usershares directory.
Use audio devices
This right is gained by adding the user to the "audio" group.
TODO: The "audio" group owns some of the audio devices in /dev, but it's unclear what rights this gains.
Use CD-ROM drives
This right is gained by adding the user to the "cdrom" group.
The "cdrom" group owns the CD-ROM devices in /dev.
TODO: It appears the devices also have extended attributes. Investigate.
Use floppy drives
This right is gained by adding the user to the "floppy" group.
Use modems
This right is gained by adding the user to the "dialout" group.
The "dialout" group owns the /dev/ttyS* devices and can read the /etc/wvdial.conf file.
Use tape drives
This right is gained by adding the user to the "tape" group.
Use video devices
This right is gained by adding the user to the "video" group.
The "video" group can access /dev/fb0.
Use Bluetooth devices
All users at the console can talk to Bluetooth devices using DBus. (Ref.: /etc/dbus-1/system.d/bluetooth.conf)
Use libvirt virtualization solution
All users can connect to the unprivileged libvirt session. Allowing connections to the privileged libvirt system is gained by adding the user to the "libvirtd" group. Users in the "admin" group are automatically added to this group on package installation.
Use VirtualBox virtualization solution
This right is gained by adding the user to the "vboxusers" group.
Use Checkbox
All users at the console can talk to the Checkbox backend using DBus. (Ref.: /etc/dbus-1/system.d/com.ubuntu.checkbox.conf)
Communicate with HAL (deprecated?)
All users at the console can communicate with the HAL daemon using DBus. Is this deprecated? (Ref.: /etc/dbus-1/system.d/hal.conf)
Use Network Manager
All users at the console can manage Ethernet, wireless and 3G networks using Network Manager via DBus. (Ref.: /etc/dbus-1/system.d/NetworkManager.conf, /etc/dbus-1/system.d/nm-applet.conf)
Check for new printers
All users at the console can check for new printers by communicating with hplip using DBus. (Ref.: /etc/dbus-1/system.d/newprinternotification.conf)
Install new software
This right is gained by adding the user to the "admin" group.
The user must type in his password before installing new software.
TODO: detail how software installing works for the different front-ends.
Install security updates
This right is gained by adding the user to the "admin" group.
The user must type in his password before installing security updates.
TODO: detail how security update installation works for the different front-ends.
Install software updates
This right is gained by adding the user to the "admin" group.
The user must type in his password before installing software updates.
TODO: detail how software update installing works for the different front-ends.
Change CPU frequency scaling
This right is gained by adding the user to the "admin" group. (Ref.: /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla)
Change the system clock
This right is gained by adding the user to the "admin" group. (Ref.: /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla)
Install a plug-in into a HP printer
This right is gained by adding the user to the "admin" group. (Ref.: /usr/share/polkit-1/actions/com.hp.hplip.policy)
Get information about local device drivers
This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.devicedriver.policy)
Check for newly available drivers for, and used drivers on this system
This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.devicedriver.policy)
Query local and remote driver databases for updated drivers for the system
This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.devicedriver.policy)
Install or remove device drivers
This right is gained by adding the user to the "admin" group. The user must type in his password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.devicedriver.policy)
Get current global proxy
This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy)
Set current global proxy
This right is gained by adding the user to the "admin" group. The user must type in his password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy)
Set current global proxy exception
This right is gained by adding the user to the "admin" group. The user must type in his password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy)
Set current global keyboard
This right is gained by adding the user to the "admin" group. The user must type in his password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy)
Get current global keyboard
This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy)
Check if the package system is locked
This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy)
Install the bootloader
This right is allowed by default to all users after typing in their password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.usbcreator.policy)
Format the device
This right is allowed by default to all users after typing in their password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.usbcreator.policy)
Image the device
This right is allowed by default to all users after typing in their password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.usbcreator.policy)
Mount a device
This right is allowed by default to all users after typing in their password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.usbcreator.policy)
Security/Privileges (last edited 2010-05-05 13:56:34 by modemcable144)