Is the "polkituser" group safe to add users to?

[Kaboosh]

I've noticed the user management tool adds users to "polkituser" by default but I've found this warning at http://cgit.freedesktop.org/PolicyKit/blob/?id=307df96aecc089d2c055d703334b4a21b9796ddc not to do this because it allows them to execute /usr/lib/polkit-grant-helper:

4754 root:polkituser /usr/libexec/polkit-grant-helper-pam-1

This one is setuid root because checking authentications might need
require that (you may be checking the root password). The reason
polkit-grant-helper-pam is is owned by group 'polkituser' is to ensure
that random users can't execute it; only setgid 'polkituser' programs
can do this. Which polkit-grant-helper is.

... I'm not a policykit expert but does anyone know if this is safe or not?  Should I be removing untrusted users from the group?

[melodie]

Hi,

If you have untrusted users, I think you can safely remove them from the group (As root : "gpasswd -d user group", or use PCC). In fact, you could remove them from all groups, exept their own. Or you can create a different group for untrusted users, such as just "users" for example.

Now policykit and polkit are complicated stuff to study and use. Add to this we still use policykit, whereas the development team has left it for polkit with new commands. I think all was more simple before, when we had just groups and ACL to deal with authorisations. But we can't stay in the paste, can we ?

For more you may want to read the polycikit doc from the developers ? http://hal.freedesktop.org/docs/PolicyKit