Local users get to play root?

[Chris Adams]

Once upon a time, Colin Walters <walters at verbum.org> said:
> (Thanks for a constructive discussion by the way!)

No problem; I'm trying to understand and help things move forward.  I
don't want to see another thing like SELinux or PulseAudio where it
becomes "common knowledge" that you should just disable or remove
something.

> So, that leaves us with the question of how to configure it for
> Fedora.   A data point here is that the Fedora polkit package adds two
> Unix groups "desktop_user_r" and "desktop_admin_r".  However, it's
> unclear to me whether the expectation is that official Fedora
> consumables (i.e. desktop installer) would customize PolicyKit using
> these.

Where are those documented?  I guess that's something new for F12, so
maybe there's something there.  However, I just searched the Fedora wiki
and got no hits (if this is Fedora-specific, shouldn't it be there?).

> > The bigger issue is that much of the policy is not well documented,
> > except in the XML files (which are pretty terse).
> 
> The individual actions aren't documented well enough?  Or the 1,000
> meter view of all of the installed actions on a default desktop?

I guess some of both.  At a quick glance, I see over 100 actions on my
F11 desktop (in over 1400 lines of XML, not counting langauges); how am
I supposed to be knowledgeable enough to know which of those I may want
(or need) to change for certain situations?  Don't get me wrong; I do
like having more fine-grained access control.

What would be nice would be a guide of how all this fits together and
when to change what (not just documentation of individual options or
syntax), but I do also understand that developers don't always like
writing documentation (hey, who does, other than tech writers!).
-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.