Execute as Root GUI Admin Interfaces

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Originally: Re: Fedora usability : a new project? (Rick Stuart) 
From: Rahul <sundaram@xxxxxxxxxx>


Rick Stuart wrote:
  
I welcome this idea!  I have asked many folks about what they like and 
dis like about Linux and I only get prejudiced statements.  If you sit 
someone ( a familiar and comfortable user of Windows) in front of your 
pride and joy 64-bit Fedora Core 5 install and invite them to try it 
out, they will fail to see any value.  If you help them find their way 
to stuff, they will certainly hit a brick wall that you have to fix by 
opening a terminal window, and then it's all over.

Here are a couple of suggestions:

Provide an option to configure users with sufficient privileges so that 
they can enter their OWN password for administrative access instead of 
ROOT's.  ( /usr/bin/system-config-* linked to "consolehelper" )  For a 
good model, check out UBUNTU......sorry about your toes.  Something like 
/etc/consolehelpers a-la /etc/sudoers.
    

That isnt really a good model.

https://www.redhat.com/archives/fedora-extras-list/2006-July/msg00814.htm
  
From: David Nielsen <david@xxxxxxxxxxxxx>

  

PolicyKit should provide this functionality the right way. I don't know
if we have an ETA on this being useful but I would rather wait for a
proper fix than use priviliage escalation that can introduce problems
like horrid security . having to audit half a million lines of GTK+ code
because it now runs as root and any slight bug could take down the
system is my very definition of not funny.
PolicyKit looks interesting based on the discussions Rahul included.  Correct me if I got it wrong, but would PolicyKit allow an administrator to set people up so they can do certain things as administrators (like mounting a disk) ?  It looked like the user gets no challenge for authorization if they are set up to be able to do that.  I actually think that is a problem.  I think that when someone is executing with root privileges, they should be aware of it and consider whether they meant to do that.  That is why I suggested a [SUDO]consolehelper.  I am assuming that Rahul was referring to that as being a bad model.   I agree that giving everyone this ability like UBUNTU does it is a problem.  However, I do not agree that setting policies for a user and not reminding him/her what their action implies is any better.

In our corporate Windows world, we can set domain policies and local policies that give people more administrative rights.  We then invest much more support time trying to unravel what they accidentally did because they had elevated privileges and got no warnings when they mis-stepped.  Our Linux desktops have very few such problems even though we have a fairly large number of "sudoers" who can do root level tasks, but have to do so intentionally.  These sudoers don't need or want the root password, but they can do their jobs without problems as long as they know the CLI commands to do it.  We have started reducing Windows users default admin rights and force them to intentionally (and temporarily) elevate themselves to do admin tasks.  The biggest problem is the fact that they have to log out and in to get the elevated rights on Windows.

Note also that MicroSoft has started popping up a lot more warnings asking people if they REALLY want to install the Trojan binary.  People hate it, but what can you do?

I realize this may fit better in a security discussion, but I consider it a basic usability issue so I am throwing it out here.

Thanks,

Rick
-- 

Fedora-desktop-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
[Index of Archives]     [Fedora Users]     [Fedora KDE]     [Fedora Announce]     [Fedora Docs]     [Fedora Config]     [PAM]     [Red Hat Development]     [Red Hat 9]     [Gimp]     [Yosemite News]

  Powered by Linux