On Thu, 2006-08-10 at 16:48 -0400, Dan Williams wrote: > > PolicyKit looks interesting based on the discussions Rahul included. > > Correct me if I got it wrong, but would PolicyKit allow an > > administrator to set people up so they can do certain things as > > administrators (like mounting a disk) ? Yes. > It looked like the user gets > > no challenge for authorization if they are set up to be able to do > > that. I actually think that is a problem. I think that when someone > > is executing with root privileges, they should be aware of it and > > consider whether they meant to do that. First off, "executing with root privileges" may be the answer today, but it's not really what we want a desktop app to do. We want an app to be able to do very specific and confined tasks such as "mount a removable disk", "format a fixed disk", "configure a modem", "set the timezone", "upgrade OS with trusted packages", "install new trusted package", "install new untrusted package", whatever. If we can engineer our applications in such that it's this fine grained the chances of them doing bad things when compromised are slimmer than if they run with root privileges. So, the whole idea of PolicyKit is to split privileged apps into two parts - the UI shell (that runs unprivileged) and a privileged part that allows the unprivileged bit to call very specific methods if the caller has the right ''PolicyKit privilege''. If the caller haven't got the required privilege (for, say, changing the timezone), he may be able to prompt for it and this requires authentication, either as the super user or as the regular user. > That is why I suggested a > > [SUDO]consolehelper. I am assuming that Rahul was referring to that > > as being a bad model. I agree that giving everyone this ability like > > UBUNTU does it is a problem. However, I do not agree that setting > > policies for a user and not reminding him/her what their action > > implies is any better. I will state that consolehelper, and for that matter the scheme Ubuntu and the rest of the distros are using, is just badly broken since it makes an X11 application run as root. Yet, we still see new crap being added to the distro that does this. Hopefully (I'm an optimist by nature) that will change when we add PolicyKit to Fedora early in the FC7 timeframe (I think it's already in SUSE btw), but I'm not holding my breath so to speak - there's a lot of work left... Also, see this presentation http://people.freedesktop.org/~david/talks/system-integration-and-gnome-guadec2006-davidz.pdf for the bigger picture. See http://webcvs.freedesktop.org/hal/PolicyKit/doc/spec/polkit-spec.html?revision=1.7 http://webcvs.freedesktop.org/hal/PolicyKit/doc/spec/polkit-arch.png?revision=1.1 for more details on PolicyKt. David -- Fedora-desktop-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-desktop-list
