Execute as Root GUI Admin Interfaces

Dan Williams dcbw at redhat.com
Thu Aug 10 20:48:56 UTC 2006 

On Thu, 2006-08-10 at 13:41 -0500, Rick Stuart wrote:
> Originally: Re: Fedora usability : a new project? (Rick Stuart) 
> > From: Rahul <sundaram at redhat.com>
> > 

Bringing davidz into the discussion if he hasn't been tracking
fedora-desktop-list at all...

David, look below :)

Dan

> > Rick Stuart wrote:
> >   
> > > I welcome this idea!  I have asked many folks about what they like and 
> > > dis like about Linux and I only get prejudiced statements.  If you sit 
> > > someone ( a familiar and comfortable user of Windows) in front of your 
> > > pride and joy 64-bit Fedora Core 5 install and invite them to try it 
> > > out, they will fail to see any value.  If you help them find their way 
> > > to stuff, they will certainly hit a brick wall that you have to fix by 
> > > opening a terminal window, and then it's all over.
> > > 
> > > Here are a couple of suggestions:
> > > 
> > > Provide an option to configure users with sufficient privileges so that 
> > > they can enter their OWN password for administrative access instead of 
> > > ROOT's.  ( /usr/bin/system-config-* linked to "consolehelper" )  For a 
> > > good model, check out UBUNTU......sorry about your toes.  Something like 
> > > /etc/consolehelpers a-la /etc/sudoers.
> > >     
> > 
> > That isnt really a good model.
> > 
> > https://www.redhat.com/archives/fedora-extras-list/2006-July/msg00814.htm
> >   
> > From: David Nielsen <david at lovesunix.net>
> > 
> >   
> > 
> > PolicyKit should provide this functionality the right way. I don't know
> > if we have an ETA on this being useful but I would rather wait for a
> > proper fix than use priviliage escalation that can introduce problems
> > like horrid security . having to audit half a million lines of GTK+ code
> > because it now runs as root and any slight bug could take down the
> > system is my very definition of not funny.
> > 
> >   
> PolicyKit looks interesting based on the discussions Rahul included.
> Correct me if I got it wrong, but would PolicyKit allow an
> administrator to set people up so they can do certain things as
> administrators (like mounting a disk) ?  It looked like the user gets
> no challenge for authorization if they are set up to be able to do
> that.  I actually think that is a problem.  I think that when someone
> is executing with root privileges, they should be aware of it and
> consider whether they meant to do that.  That is why I suggested a
> [SUDO]consolehelper.  I am assuming that Rahul was referring to that
> as being a bad model.   I agree that giving everyone this ability like
> UBUNTU does it is a problem.  However, I do not agree that setting
> policies for a user and not reminding him/her what their action
> implies is any better.
> 
> In our corporate Windows world, we can set domain policies and local
> policies that give people more administrative rights.  We then invest
> much more support time trying to unravel what they accidentally did
> because they had elevated privileges and got no warnings when they
> mis-stepped.  Our Linux desktops have very few such problems even
> though we have a fairly large number of "sudoers" who can do root
> level tasks, but have to do so intentionally.  These sudoers don't
> need or want the root password, but they can do their jobs without
> problems as long as they know the CLI commands to do it.  We have
> started reducing Windows users default admin rights and force them to
> intentionally (and temporarily) elevate themselves to do admin tasks.
> The biggest problem is the fact that they have to log out and in to
> get the elevated rights on Windows.
> 
> Note also that MicroSoft has started popping up a lot more warnings
> asking people if they REALLY want to install the Trojan binary.
> People hate it, but what can you do?
> 
> I realize this may fit better in a security discussion, but I consider
> it a basic usability issue so I am throwing it out here.
> 
> Thanks,
> 
> Rick
> -- 
> Fedora-desktop-list mailing list
> Fedora-desktop-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-desktop-list

More information about the Fedora-desktop-list mailing list