Execute as Root GUI Admin Interfaces
Dan Williams
dcbw at redhat.com
Thu Aug 10 20:48:56 UTC 2006
On Thu, 2006-08-10 at 13:41 -0500, Rick Stuart wrote:
> Originally: Re: Fedora usability : a new project? (Rick Stuart)
> > From: Rahul <sundaram at redhat.com>
> >
Bringing davidz into the discussion if he hasn't been tracking
fedora-desktop-list at all...
David, look below :)
Dan
> > Rick Stuart wrote:
> >
> > > I welcome this idea! I have asked many folks about what they like and
> > > dis like about Linux and I only get prejudiced statements. If you sit
> > > someone ( a familiar and comfortable user of Windows) in front of your
> > > pride and joy 64-bit Fedora Core 5 install and invite them to try it
> > > out, they will fail to see any value. If you help them find their way
> > > to stuff, they will certainly hit a brick wall that you have to fix by
> > > opening a terminal window, and then it's all over.
> > >
> > > Here are a couple of suggestions:
> > >
> > > Provide an option to configure users with sufficient privileges so that
> > > they can enter their OWN password for administrative access instead of
> > > ROOT's. ( /usr/bin/system-config-* linked to "consolehelper" ) For a
> > > good model, check out UBUNTU......sorry about your toes. Something like
> > > /etc/consolehelpers a-la /etc/sudoers.
> > >
> >
> > That isnt really a good model.
> >
> > https://www.redhat.com/archives/fedora-extras-list/2006-July/msg00814.htm
> >
> > From: David Nielsen <david at lovesunix.net>
> >
> >
> >
> > PolicyKit should provide this functionality the right way. I don't know
> > if we have an ETA on this being useful but I would rather wait for a
> > proper fix than use priviliage escalation that can introduce problems
> > like horrid security . having to audit half a million lines of GTK+ code
> > because it now runs as root and any slight bug could take down the
> > system is my very definition of not funny.
> >
> >
> PolicyKit looks interesting based on the discussions Rahul included.
> Correct me if I got it wrong, but would PolicyKit allow an
> administrator to set people up so they can do certain things as
> administrators (like mounting a disk) ? It looked like the user gets
> no challenge for authorization if they are set up to be able to do
> that. I actually think that is a problem. I think that when someone
> is executing with root privileges, they should be aware of it and
> consider whether they meant to do that. That is why I suggested a
> [SUDO]consolehelper. I am assuming that Rahul was referring to that
> as being a bad model. I agree that giving everyone this ability like
> UBUNTU does it is a problem. However, I do not agree that setting
> policies for a user and not reminding him/her what their action
> implies is any better.
>
> In our corporate Windows world, we can set domain policies and local
> policies that give people more administrative rights. We then invest
> much more support time trying to unravel what they accidentally did
> because they had elevated privileges and got no warnings when they
> mis-stepped. Our Linux desktops have very few such problems even
> though we have a fairly large number of "sudoers" who can do root
> level tasks, but have to do so intentionally. These sudoers don't
> need or want the root password, but they can do their jobs without
> problems as long as they know the CLI commands to do it. We have
> started reducing Windows users default admin rights and force them to
> intentionally (and temporarily) elevate themselves to do admin tasks.
> The biggest problem is the fact that they have to log out and in to
> get the elevated rights on Windows.
>
> Note also that MicroSoft has started popping up a lot more warnings
> asking people if they REALLY want to install the Trojan binary.
> People hate it, but what can you do?
>
> I realize this may fit better in a security discussion, but I consider
> it a basic usability issue so I am throwing it out here.
>
> Thanks,
>
> Rick
> --
> Fedora-desktop-list mailing list
> Fedora-desktop-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-desktop-list
More information about the Fedora-desktop-list
mailing list