Fedora Feature Proposal: Yum Integration

dragoran drago01 at gmail.com
Fri Jul 20 06:32:25 UTC 2007 

Matthew Miller wrote:
> On Thu, Jul 19, 2007 at 07:52:13AM -0400, seth vidal wrote:
>   
>>>> But what if you are just a regular user who doesn't have the root
>>>> password? That pretty much limits the use of this feature to
>>>> administrative programs (which require root anyway). Otherwise users
>>>> will end up with half-broken apps
>>>>         
>>> This should be done as configurable policy. In fact, that can be done
>>> *now*, with one missing crucial bit -- the concept of limited access to
>>> packages in yum. Which we could make a really crack-ridden plugin to
>>> deal with....
>>>       
>> 'the concept of limited access to packages in yum'?
>> What does that mean? I'm not sure I understand the usage here and so I'm
>> not sure where/how it would work as a plugin.
>>     
>
> For many systems, it'd be handy for users to be able to autheneticate with
> their own passwords, and then with those credentials add and remove *user
> level* software from known repositories with valid GPG keys, but still
> require root (or wheel group membership) to add or (and especially) remove
> system level software. That's useful -- but, as mentioned, kinda
> crack-ridden. (Partly, of course, because the distinction between user level
> and system level is very blurry.)
>
> Right now, it's trivially easy to make it so you can run yum with your own
> credentials -- but it's not limited in any way. Doing this the right way
> (perhaps with oddjob) would be a bit of work, but doing it the easy but less
> secure way -- run as root, check for limitations -- could be done with a
> plugin.
>
> As a first cut for policy
>
>  1) users can't do anything that would cause a member of the Core or Base
>     groups to be removed
>  2) can add and remove packages from a list of groups like GNOME Desktop
>     Environment, Games and Entertainment, etc., as long as it doesn't
>     conflict with #1
>  3) can't do anything else
>
> Perhaps the list of protected-from-removal packages would need to be
> expanded, but that's the basic idea.
>
>
>
>   
thats what policykit is for...

More information about the fedora-devel-list mailing list