Launchpad Entry: Administrators only access to configuration
Packages affected: gchildcare
Only Specific role can change the user Internet filtering. PolicyKit will be used for its efficiency, easy-to-use and common behavior with other GNOME applications. A warning will be shown for sudoers user.
- Policy Kit is integrated to provide administrator permission to be able to change user Internet access configuration and filtering.
Dedicated and recognised people should be able to change parameters for the profile and filtered users. Hiding the menu is not sufficient and a propre security filtering is then needed. Furthermore, people without security knowledge or overall view of the Ubuntu Desktop and user management should be warned that user with administration rights can changed their own value.
The other solution would be to create its own user profile (like firefox does) with its own adminstration password. But this solution would not be well integrated in the desktop environment, making unwanted further configuration ; with dedicated user & password.
Using regular desktop user entrust the *nix way of working: one account for each user.
- Bob wants to prevent his child to change to parameter for hour permission, available sites and so on... He is an administrator on the machine and so, has the right to make the change
Alice's girl want to access to a new site (www.ubuntu.com). The mum knows that this site is safe for her and so, will add the new site to the white list in the associated profile. She doesn't want to switch to her user to add this site and then go to System -> Administration. She directly get there from her girl's profile and activate the "Unlock" button, choosing her user and entering her password. Then, all insensitive field becomes sensitives and she can do the change, and then, close the window, knowing that all changes will be immediate and that her girl will not be able to change the parameter from herself.
- Roger is not aware of the security issue making people sudoers, got used to other operating system's behavior on almost every users are administrators. When he used gchildcare, he get warned that applying Internet filtering to a sudoer's user is inneffective as the user will be able to change its own values afterwards.
- Stacy is completely aware of this security issue and she wants to know immediatly who can be administrator on that host without having to click on each user of the list. A warning board next the user in the list is shown to alert her.
The PolicyKit will be used : an "Unlock" button will be available at the bottom of the screen. Every configuration functionnalities will be insensitive elsewhere.
This enables not switching to another user when a change has to be done, keeping users to put every people administrator and so, breaking the security of the system. Furthermore, a warning is shown to make people aware that a filtered user shouldn't have administrator powers.
A typical use case:
- a child wants its parents to add a new website in the whitelist of trusted site.
- as the child account is not an administrator, he can't change it by itself (security needed)
- she/he call its parents
- the parent doesn't want to switch to a new user to be abled to change it. He/she goes to system/administration/Parental Control GUI and then click on "Unlock".
- A windows show the admin user, he/she choose one with the corresponding password
- Every functionnalities are now available and he/she make want is needed to add a new site to a white list
- He/she close the application or click on lock to be sure that the child can't edit the configuration on its own.
This enforce the role of administrator of the machine and that child don't has to be a sudoers.
Sorry, the capture is with non definitive names in french (the designer wasn't aware that this will be in a specification written in english).
Here is the main window once the "unlock" button has been pressed (this one became unsensitive aftewards)
You can see there the warning message for the "Utilisateurs1" who is a sudoer (and also the warning board in the list)
- Check that non administrator user can't change the values to user and/or profiles
Check the correct integration of PolicyKit
- Step by step:
- Enable the administrator power with policykit
- change some values
- check that values are immediately applied (cf this specification)
- Close the window
- Open it again
- Check that all control are now unsensitive
Still in discussion
- How to prompt the user for sudoers filtered user? The warning text is there, but maybe a prompting window is better when clicking enabling filtering on a user who is a sudoer (but this can be tedious).
- See how to integrate that in a QT environment (is there an equivalent to Policy Kit?)