Once upon a time, Dan Williams <dcbw@xxxxxxxxxx> said: > But that's not right because those files aren't config files. Instead, > you drop "local authority" files in /var/lib/polkit-1/localauthority/ > that override those permissions on a site-by-site basis for your > specific use-case, irregardless of what the defaults are. Um, what is /var/lib/polkit-1/localauthority/? Again, I'm still sitting at my F11 desktop; was this something added in F12? Maybe (as someone else mentioned) I am looking for the 1000 foot (or 305 meter) view. I understand setuid-root, setgid-foo, etc., and that is widely documented. I kind of have a grip on consolehelper, more from poking around at it than reading anything. I have no clue how things work with PolicyKit, and it also seems that PolicyKit is still changing how things are done from release to release. I poked at PolicyKit a little when someone pointed out desktop users were allowed to change the system clock a couple of releases ago. Some of the same discussion happened then as is happening now; I made the same suggestion about "no elevated access by default and spins can override". The clock perms finally changed in F12 (although it looks like users can still change the timezone, which is still not a good idea, as most things like cron and syslog use local time), and now we have PackageKit questions. It just seems like there needs to be: - better documentation - better defaults - better Fedora policy - better oversight (or enforcement, if necessary) about PolicyKit (or anything that can give regular users elevated access) rules and actions. -- Chris Adams <cmadams@xxxxxxxxxx> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
