Make consolehelper more liske sudo?
Havoc Pennington
hp at redhat.com
Thu Mar 3 21:02:57 UTC 2005
On Thu, 2005-03-03 at 15:02 -0500, Matthew Miller wrote:
> On Thu, Mar 03, 2005 at 02:34:51PM -0500, Havoc Pennington wrote:
> > All this "end user desktop" stuff that requires root I consider a bug
> > btw, if you want to file a bugzilla for the individual items that would
> > be helpful. If you get NOTABUG/WONTFIX from someone at Red Hat let me
> > know and I'll tell them they are wrong.
>
> I wouldn't want just anyone to have the ability to run many of the
> system-config apps just because they're sitting at the console, though. What
> do you think about making the UGROUPS=wheel thing the default? (Or some
> other group like "admin"....)
>
> We also patch system-config-users to have an easy checkbox for wheel group
> membership and to display that in a column on the Users tab (right after
> Primary Group).
As David says, sometimes this is sort of complicated. e.g. for
NetworkManager we changed the architecture to be asking for certain
things from the user session, vs. writing out an arbitrary config file.
He's also right that some of the system-config-* aren't desktop oriented
at all (or they at least include a bunch of non-desktop stuff in
addition)
So the fix may not be as simple as changing the pam setup, but it's
still broken right now.
One problem is that if you can run a GTK app as root (anything
equivalent to setgid) then you can probably hack that app and do bad
stuff, http://gtk.org/setuid.html
So it's probably a requirement in all cases that we split out a backend
that runs as root and have the UI separate.
Havoc
More information about the Fedora-desktop-list
mailing list