This page is a work in progress. <> == Matrix == || '''Privilege''' || '''Enforced with''' || '''Default rights''' || || Access external storage devices || File permissions || Desktop User, Administrator account types || || Access internal storage devices || File permissions || Administrator account type || || Administer the system || File permissions || Administrator account type (w/password) || || Use sudo to administer the system || File permissions || Administrator account type (w/password) || || Configure printers || File permissions || Administrator account type || || Connect to the Internet using a modem || File permissions || Administrator account type || || Connect to wireless and ethernet networks || File permissions || || || Monitor system logs || File permissions || Desktop User, Administrator account types || || Mount user-space filesystems (FUSE) || File permissions || Desktop User, Administrator account types || || Send and receive faxes || File permissions || Desktop User, Administrator account types || || Share files with the local network || File permissions || Administrator account type || || Use audio devices || File permissions || || || Use CD-ROM drives || File permissions || Desktop User, Administrator account types || || Use floppy drives || File permissions || Desktop User, Administrator account types || || Use modems || File permissions || Desktop User, Administrator account types || || Use tape drives || File permissions || Desktop User, Administrator account types || || Use video devices || File permissions || Desktop User, Administrator account types || || Use Bluetooth devices || D-Bus permissions || Users at the console || || Use libvirt virtualization solution || File permissions || Administrator account type || || Use VirtualBox virtualization solution || File permissions || || || Use Checkbox || D-Bus permissions || Users at the console || || Communicate with HAL (deprecated?) || D-Bus permissions || Users at the console || || Use Network Manager || D-Bus permissions || Users at the console || || Check for new printers || D-Bus permissions || Users at the console || || Install new software || GKSu authentication || Administrator account type (w/password) || || Install security updates || GKSu authentication || Administrator account type (w/password) || || Install software updates || GKSu authentication || Administrator account type (w/password) || || Change CPU frequency scaling || PolicyKit || Administrator account type || || Change the system clock || PolicyKit || Administrator account type || || Install a plug-in into a HP printer || PolicyKit || Administrator account type || || Get information about local device drivers || PolicyKit || Any user || || Check for newly available drivers for, and used drivers on this system || PolicyKit || Any user || || Query local and remote driver databases for updated drivers for the system || PolicyKit || Any user || || Install or remove device drivers || PolicyKit || Administrator account type (w/password) || || Get current global proxy || PolicyKit || Any user || || Set current global proxy || PolicyKit || Administrator account type (w/password) || || Set current global proxy exception || PolicyKit || Administrator account type (w/password) || || Set current global keyboard || PolicyKit || Administrator account type (w/password) || || Get current global keyboard || PolicyKit || Any user || || Check if the package system is locked || PolicyKit || Any user || || Install the bootloader || PolicyKit || Any user (w/password) || || Format the device || PolicyKit || Any user (w/password) || || Image the device || PolicyKit || Any user (w/password) || || Mount a device || PolicyKit || Any user (w/password) || 0. In a default Desktop installation, the first user on the system is considered an administrator, and as of Ubuntu 10.04 LTS is a member of the following groups: ```adm, dialout, cdrom, plugdev, lpadmin, admin, sambashare``` == Access external storage devices == This right is gained by adding the user to the "plugdev" group. Users in the "plugdev" group can send commands to HAL (this is probably deprecated). (Ref.: /etc/dbus-1/system.d/hal.conf) TODO: See what else "plugdev" can do, and how it restricts access to the storage devices. == Access internal storage devices == This right is gained by adding the user to the "admin" group. Users in the "admin" group can access internal storage devices. (Ref.: /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla) == Administer the system == This right is gained by adding the user to the "admin" group. Users in the "admin" group can use sudo to gain administrative privileges after supplying their password. (Ref.: /etc/sudoers) The "admin" group is configured to be the PolicyKit "administrator authentication" group. (Ref.: /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf) == Use sudo to administer the system == This right is gained by adding the user to the "admin" group. Users in the "admin" group can use sudo to gain administrative privileges after supplying their password. (Ref.: /etc/sudoers) Beginning with Ubuntu 10.04 LTS, this right can also be granted by adding the user to the "sudo" group for compatibility reasons with Debian. == Configure printers == This right is gained by adding the user to the "lpadmin" group. Cups contains a setting called "SystemGroup" in the /etc/cusp/cupsd.conf that specifies who is allowed to manage printers. By default, it is set to "lpadmin". == Connect to the Internet using a modem == This right is gained by adding the user to the "dip" group. The "dip" group can launch pppd and access ppp configuration files in /etc. == Connect to wireless and ethernet networks == This right is gained by adding the user to the "netdev" group. On Debian, the "netdev" group gains access to using Network Manager. On Ubuntu, Network Manager access rights are gained by being at the system console, so the name of this entry in gnome-system-tools is misleading. The "netdev" group can administer wicd and wpasupplicant. The "netdev" group can set the avahi host name using DBus. The "netdev" group can administer Bluetooth devices. == Monitor system logs == This right is gained by adding the user to the "adm" group. The "adm" group has access to most of the log files in /var/log, although a lot of them are readable by everyone. == Mount user-space filesystems (FUSE) == This right is gained by adding the user to the "fuse" group. The "fuse" group can access the /dev/fuse device, but so can everyone else. The "fuse" group can read the /etc/fuse.conf file. TODO: See how the "fuse" group gains access to mount FUSE filesystems. (Is this enforced?) == Send and receive faxes == This right is gained by adding the user to the "fax" group. == Share files with the local network == This right is gained by adding the user to the "sambashare" group. The "sambashare" group can access the /var/lib/samba/usershares directory. == Use audio devices == This right is gained by adding the user to the "audio" group. TODO: The "audio" group owns some of the audio devices in /dev, but it's unclear what rights this gains. == Use CD-ROM drives == This right is gained by adding the user to the "cdrom" group. The "cdrom" group owns the CD-ROM devices in /dev. TODO: It appears the devices also have extended attributes. Investigate. == Use floppy drives == This right is gained by adding the user to the "floppy" group. == Use modems == This right is gained by adding the user to the "dialout" group. The "dialout" group owns the /dev/ttyS* devices and can read the /etc/wvdial.conf file. == Use tape drives == This right is gained by adding the user to the "tape" group. == Use video devices == This right is gained by adding the user to the "video" group. The "video" group can access /dev/fb0. == Use Bluetooth devices == All users at the console can talk to Bluetooth devices using DBus. (Ref.: /etc/dbus-1/system.d/bluetooth.conf) == Use libvirt virtualization solution == All users can connect to the unprivileged libvirt ```session```. Allowing connections to the privileged libvirt ```system``` is gained by adding the user to the "libvirtd" group. Users in the "admin" group are automatically added to this group on package installation. == Use VirtualBox virtualization solution == This right is gained by adding the user to the "vboxusers" group. == Use Checkbox == All users at the console can talk to the Checkbox backend using DBus. (Ref.: /etc/dbus-1/system.d/com.ubuntu.checkbox.conf) == Communicate with HAL (deprecated?) == All users at the console can communicate with the HAL daemon using DBus. Is this deprecated? (Ref.: /etc/dbus-1/system.d/hal.conf) == Use Network Manager == All users at the console can manage Ethernet, wireless and 3G networks using Network Manager via DBus. (Ref.: /etc/dbus-1/system.d/NetworkManager.conf, /etc/dbus-1/system.d/nm-applet.conf) == Check for new printers == All users at the console can check for new printers by communicating with hplip using DBus. (Ref.: /etc/dbus-1/system.d/newprinternotification.conf) == Install new software == This right is gained by adding the user to the "admin" group. The user must type in his password before installing new software. TODO: detail how software installing works for the different front-ends. == Install security updates == This right is gained by adding the user to the "admin" group. The user must type in his password before installing security updates. TODO: detail how security update installation works for the different front-ends. == Install software updates == This right is gained by adding the user to the "admin" group. The user must type in his password before installing software updates. TODO: detail how software update installing works for the different front-ends. == Change CPU frequency scaling == This right is gained by adding the user to the "admin" group. (Ref.: /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla) == Change the system clock == This right is gained by adding the user to the "admin" group. (Ref.: /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla) == Install a plug-in into a HP printer == This right is gained by adding the user to the "admin" group. (Ref.: /usr/share/polkit-1/actions/com.hp.hplip.policy) == Get information about local device drivers == This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.devicedriver.policy) == Check for newly available drivers for, and used drivers on this system == This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.devicedriver.policy) == Query local and remote driver databases for updated drivers for the system == This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.devicedriver.policy) == Install or remove device drivers == This right is gained by adding the user to the "admin" group. The user must type in his password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.devicedriver.policy) == Get current global proxy == This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy) == Set current global proxy == This right is gained by adding the user to the "admin" group. The user must type in his password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy) == Set current global proxy exception == This right is gained by adding the user to the "admin" group. The user must type in his password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy) == Set current global keyboard == This right is gained by adding the user to the "admin" group. The user must type in his password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy) == Get current global keyboard == This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy) == Check if the package system is locked == This right is allowed by default to all users without authentication. (Ref: /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy) == Install the bootloader == This right is allowed by default to all users after typing in their password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.usbcreator.policy) == Format the device == This right is allowed by default to all users after typing in their password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.usbcreator.policy) == Image the device == This right is allowed by default to all users after typing in their password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.usbcreator.policy) == Mount a device == This right is allowed by default to all users after typing in their password. (Ref: /usr/share/polkit-1/actions/com.ubuntu.usbcreator.policy)