Local users get to play root?
nodata
lsof at nodata.co.uk
Wed Nov 18 20:27:25 UTC 2009
Am 2009-11-18 21:20, schrieb Jeff Spaleta:
> On Wed, Nov 18, 2009 at 11:08 AM, Konstantin Ryabitsev
> <icon at fedoraproject.org> wrote:
>> Yes, this is security trade-off -- and with valid arguments. Does it
>> make sense to have this as a default configuration for a
>> desktop-oriented distribution? Quite possibly. Fedora installations in
>> managed environments have qualified sysadmins that can alter this
>> policy --
>
> I'm not sure enough sysadmins understand PolicyKit enough to
> confidently generate local policy edits. I think learning how to
> implement site specific PolicyKit best practises by modifying unwanted
> PackageKit's behavior is going to be a trial by fire introduction to
> PolicyKit policy editting for a lot of admins. We saw the same sort of
> learning curve frustration when hal policy was introduced that changed
> how hardware was handled.
>
> -jef
>
I think this "feature" should have been a "Feature" along with the
appropriate pros and cons and documentation. Instead we have a chorus of
people saying "just turn it off" without anyone seemingly knowing the
"correct" way of doing it.
Maybe we need a firstboot question to determine profiles.
More information about the fedora-devel-list
mailing list