Re: Networking and the firewall (Was Re: Isn't it time for the encrypted file system???)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2006-03-30 at 12:44 -0500, Matthew Miller wrote:
> On Thu, Mar 30, 2006 at 11:54:54AM -0500, David Zeuthen wrote:
> > No, my view is that consolehelper is fundamentally flawed. Now that we
> > have something like D-BUS there is absolutely no reason, apart from
> > laziness, that you ever want run X11 programs as root or another user.
> > Think for a minute about just how much code runs with root. Not to
> > mention desktop integration issues [1].
> 
> Well, having this would allow the existing consolehelper to take the place
> of the "polkit-su" tool you mention in
> <http://lists.freedesktop.org/archives/hal/2006-March/004770.html>. So
> instead of having a new thing, consolehelper could auth to access your
> 'polkit' user.
> 
> It seems better to me to make this rather small change to consolehelper
> rather than to make yet another tool from scratch. Maybe I'm missing
> something important, though -- that often happens. :)

The point is that "a tool to run things as root" is an awful design
choice.  The thing it's trying to solve is "a way for users who have
administrative permissions to do administrative tasks".

It used to be that our main model for doing this was "allow $USER to run
$PROGRAM as root", which is the consolehelper and sudo way.  But we had
another one too -- USERCTL in network scripts.

With dbus, we can take the USERCTL way another step forward.  And in
fact we have -- this is essentially the NetworkManager model.  NM does
the network configuration, but nm-applet has no such permissions.  And
unlike e.g. sudoers, the interface between nm-applet and NM doesn't lend
itself to unconstrained exploits.

-- 
  Peter


[Index of Archives]     [Fedora Users]     [Fedora Development]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux