Local users get to play root?
Chris Adams
cmadams at hiwaay.net
Wed Nov 18 20:39:01 UTC 2009
Once upon a time, Colin Walters <walters at verbum.org> said:
> (Thanks for a constructive discussion by the way!)
No problem; I'm trying to understand and help things move forward. I
don't want to see another thing like SELinux or PulseAudio where it
becomes "common knowledge" that you should just disable or remove
something.
> So, that leaves us with the question of how to configure it for
> Fedora. A data point here is that the Fedora polkit package adds two
> Unix groups "desktop_user_r" and "desktop_admin_r". However, it's
> unclear to me whether the expectation is that official Fedora
> consumables (i.e. desktop installer) would customize PolicyKit using
> these.
Where are those documented? I guess that's something new for F12, so
maybe there's something there. However, I just searched the Fedora wiki
and got no hits (if this is Fedora-specific, shouldn't it be there?).
> > The bigger issue is that much of the policy is not well documented,
> > except in the XML files (which are pretty terse).
>
> The individual actions aren't documented well enough? Or the 1,000
> meter view of all of the installed actions on a default desktop?
I guess some of both. At a quick glance, I see over 100 actions on my
F11 desktop (in over 1400 lines of XML, not counting langauges); how am
I supposed to be knowledgeable enough to know which of those I may want
(or need) to change for certain situations? Don't get me wrong; I do
like having more fine-grained access control.
What would be nice would be a guide of how all this fits together and
when to change what (not just documentation of individual options or
syntax), but I do also understand that developers don't always like
writing documentation (hey, who does, other than tech writers!).
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the fedora-devel-list
mailing list