On Thu, 2010-05-27 at 16:53 +0100, Tim Waugh wrote: > On Thu, 2010-05-27 at 08:23 -0700, Adam Williamson wrote: > > The relevant bit here is the last sentence, which was intended to cover > > the whole desktop_admin_r stuff. Let me know if it's factually off. > > Seeing as desktop_admin_r is actually part of the default spin, can we > add some text which explicitly exempts users in that group from the > privilege escalation policy? > > In other words, can we say something along the lines of "it's fine for > the default spin to ship policykit files allowing desktop_admin_r users > to do stuff without passwords being required"? That's exactly what the paragraph already says, except in a more general way so it isn't particular to any specific implementation. "In the case of an approved Fedora spin which automatically grants administrative privileges to the first created user account, authentication as that user can be considered administrative authentication; the same applies to any user account subsequently granted those privileges by the system administrator." This is meant to mean (:>) that it's fine for a spin to give the first created user admin privileges they can use without further authentication, and that it's fine for other accounts to be properly granted such privileges. Is there something desktop_admin_r is doing that's not captured there? -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
