Ubuntu – polkit: disable all users except those in group wheel

permissionspolicykit

Is it possible to do the following using 1 polkit .pkla file?

Disable all users except those in the wheel group from using polkit.
The users in the wheel group will need to provide the root password when using polkit.

/etc/polkit-1/localauthority/50-local.d/99-wheel-only.pkla

[disable all users except the wheel group]
Identity=unix-group:wheel
Action=*
ResultAny=???
ResultInactive=???
ResultActive=???

The following file works but you need to provide all the users in /etc/group:

[disable all users except those in the wheel group: root and myuser]
Identity=unix-user:daemon;unix-user:bin;unix-user:sys;unix-user:adm;unix-user:tty;unix-user:disk;unix-user:lp;unix-user:mail;unix-user:news;unix-user:uucp;unix-user:man;unix-user:proxy;unix-user:kmem;unix-user:dialout;unix-user:fax;unix-user:voice;unix-user:cdrom;unix-user:floppy;unix-user:tape;unix-user:sudo;unix-user:audio;unix-user:dip;unix-user:www-data;unix-user:backup;unix-user:operator;unix-user:list;unix-user:irc;unix-user:src;unix-user:gnats;unix-user:shadow;unix-user:utmp;unix-user:video;unix-user:sasl;unix-user:plugdev;unix-user:staff;unix-user:games;unix-user:users;unix-user:nogroup;unix-user:libuuid;unix-user:crontab;unix-user:messagebus;unix-user:Debian-exim;unix-user:mlocate;unix-user:avahi;unix-user:netdev;unix-user:bluetooth;unix-user:lpadmin;unix-user:ssl-cert;unix-user:fuse;unix-user:utempter;unix-user:Debian-gdm;unix-user:scanner;unix-user:saned;unix-user:i2c;unix-user:haldaemon;unix-user:powerdev
Action=*
ResultAny=no
ResultInactive=no
ResultActive=no

Best Answer

I would try the following .pkla

[First disable all users]
Identity=unix-user:*
Action=*
ResultActive=no
ResultInactive=no
ResultAny=no

[Then enable wheel group]
Identity=unix-group:wheel
Action=*
ResultActive=auth_admin
ResultInactive=no
ResultAny=no

in conjunction with a modification of the AdminIdentities, configured in a file under /etc/polkit-1/localauthority.conf.d/.
I have the following two files

50-localauthority.conf

[Configuration]
AdminIdentities=unix-user:0

and

51-ubuntu-admin.conf

[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

The second one override the first, and force to use sudo (and the old admin) group. Remove the second file and you are leaved with a root password request.

Related Solutions

Ubuntu – Allow user to upgrade installed packages

Another option might be to just turn on unattended upgrades, then the users won't even see the prompts:

How do I enable automatic updates?

Ubuntu – How to let Polkit request root password instead users password

This behavior is controlled by PolicyKit's LocalAuthority configuration. From the ADMINISTRATOR AUTHENTICATION section of man pklocalauthority:

   By default, "administrator authentication" is defined as asking for the
   root password. Since some systems, for usability reasons, don't have a
   root password and instead rely on a group of users being member of an
   administrative group that gives them super-user privileges, the Local
   Authority can be configured to support this use-case as well.

   Configuration for the Local Authority is read from files in the
   /etc/polkit-1/localauthority.conf.d directory. All files are read in
   lexigraphical order (using the C locale) meaning that later files can
   override earlier ones. The file 50-localauthority.conf contains the
   settings provided by the OS vendor. Users and 3rd party packages can
   drop configuration files with a priority higher than 60 to change the
   defaults.

At least in my (18.04) Ubuntu system, the two relevant files are 50-localauthority.conf and 51-ubuntu-admin.conf:

$ head /etc/polkit-1/localauthority.conf.d/*
==> /etc/polkit-1/localauthority.conf.d/50-localauthority.conf <==
# Configuration file for the PolicyKit Local Authority.
#
# DO NOT EDIT THIS FILE, it will be overwritten on update.
#
# See the pklocalauthority(8) man page for more information
# about configuring the Local Authority.
#

[Configuration]
AdminIdentities=unix-user:0

==> /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf <==
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

So, in order to revert to the PolicyKit default, which uses AdminIdentities=unix-user:0 (i.e. root) instead of the Ubuntu default AdminIdentities=unix-group:sudo;unix-group:admin (i.e. members of sudo and/or admin groups), it's sufficient to either rename the 51-ubuntu-admin.conf file so that it is loaded earlier or not at all - for example

sudo mv /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf{,.ignore}

or comment out the AdminIdentities entry therein. The former option is perhaps cleaner and more maintainable.