Local users get to play root?

nodata lsof at nodata.co.uk
Wed Nov 18 20:37:59 UTC 2009


Am 2009-11-18 21:27, schrieb nodata:
> Am 2009-11-18 21:20, schrieb Jeff Spaleta:
>> On Wed, Nov 18, 2009 at 11:08 AM, Konstantin Ryabitsev
>> <icon at fedoraproject.org> wrote:
>>> Yes, this is security trade-off -- and with valid arguments. Does it
>>> make sense to have this as a default configuration for a
>>> desktop-oriented distribution? Quite possibly. Fedora installations in
>>> managed environments have qualified sysadmins that can alter this
>>> policy --
>>
>> I'm not sure enough sysadmins understand PolicyKit enough to
>> confidently generate local policy edits. I think learning how to
>> implement site specific PolicyKit best practises by modifying unwanted
>> PackageKit's behavior is going to be a trial by fire introduction to
>> PolicyKit policy editting for a lot of admins. We saw the same sort of
>> learning curve frustration when hal policy was introduced that changed
>> how hardware was handled.
>>
>> -jef
>>
>
> I think this "feature" should have been a "Feature" along with the
> appropriate pros and cons and documentation. Instead we have a chorus of
> people saying "just turn it off" without anyone seemingly knowing the
> "correct" way of doing it.
>
> Maybe we need a firstboot question to determine profiles.

and a tool to switch a box between different profiles/roles too.




More information about the fedora-devel-list mailing list