On Thu, 2010-05-27 at 09:49 -0400, Matthias Clasen wrote: > On Thu, 2010-05-27 at 12:01 +0100, Tim Waugh wrote: > > I have a question about how our privilege escalation policy interacts > > with the desktop_admin_r group. > > > > Is a member user of desktop_admin_r considered an "unprivileged user"? > No, he or she is considered privileged. Right. Due to the discussions on the draft of this policy it contains this rather ugly paragraph providing specific definitions here: "Authentication via provision of the root password always counts as administrative authentication. In the case of mechanisms such as sudo which allow authentication with a user's own password to grant root privileges, this form of authentication can be considered administrative authentication when so configured by the system administrator. In the case of an approved Fedora spin which automatically grants administrative privileges to the first created user account, authentication as that user can be considered administrative authentication; the same applies to any user account subsequently granted those privileges by the system administrator." The relevant bit here is the last sentence, which was intended to cover the whole desktop_admin_r stuff. Let me know if it's factually off. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
