clock riddle

[Chris Adams]

Once upon a time, Gregory Maxwell <gmaxwell at gmail.com> said:
> Right click the gnome clock applet, adjust date & time. It asks for a
> password, the *user* password satisfies it. I never would have caught
> this: My time is always set via NTP, and if I ever accidentally
> clicked my way to that dialog I would have assumed that it wanted the
> root password.

The question is: what path is this taking to get the required access
level (I guess PolicyKit)?  What other things may be available this way
(is there any limit)?  How was this audited before being added to
Fedora?

There is a bug about this in RH BZ (450304) that has been open since
2008-06-06 with basically no action.

What mechanism is there to keep track of these policies?  There should
be a Fedora policy to control RPMs adding new policies to PolicyKit.  As
a system admin, I look for setuid/setgid binaries and open sockets, but
now there's a new method to bypass that for root-level access.

I admit, I haven't paid much attention to PolicyKit (I'm more of a
server guy; I run Fedora on my desktop just because).  I see it is
pretty deeply intertwined; "yum remove PolicyKit" wants to remove 214
packages.

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.