Re: Torvalds:requiring root password for mundane things is moronic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Mar 2, 2012 at 2:12 AM, Chris Murphy <lists@xxxxxxxxxxxxxxxxx> wrote:

On Mar 1, 2012, at 10:53 PM, Adam Williamson wrote:

> On Thu, 2012-03-01 at 17:43 -0500, Adam Jackson wrote:
>> On Thu, 2012-03-01 at 16:39 -0500, Daniel J Walsh wrote:
>>
>>> I believe Fedora 17 has an add user to admin group checkbox when
>>> adding the initial user, not sure if it is checked on or off by default.
>>
>> Off by default (having just tried it today).
>
> In case anyone's wondering what that actually does, here's what I can
> figure out.
>
> What it does directly is to add the user to the 'wheel' group. I'm not
> sure what all the consequences of that are, but there's two I've been
> able to find. The first is that the default /etc/sudoers allows people
> in the wheel group to run any command as root, which is great and all,
> but we don't use sudo for anything at the desktop level, so it really
> only affects people who run sudo from the console.
>
> The other thing it does, if I'm reading stuff right, is that users in
> the wheel group are considered 'admins' by PolicyKit. That's good. Now
> as to what that means, I'm not 100% sure, but I *think* what it means is
> that for any action which would require a non-admin user to authenticate
> as root, an admin user can authenticate as themselves. i.e. instead of a
> root password dialog, you'd get a your-own-password dialog. I might be
> off base there, though, and if I am I'm sure someone smarter will
> correct me. :)

From my own experience, anything I change in the GUI that requires authentication, it is for user 'chris' if that user was added as an admin with the checkbox in the create first user steps. If that checkbox is not checked, any authentication dialog that appears is for user 'root'.

My interpretation of Torvalds' complaint, is with the mere existence of authentication dialogs in the first place, for certain things. Mac OS X has always required authentication (from a user with "admin" privileges) for changing the Date/Time including time zones, which is an absurdity. In the most recent version, it's no longer possible for a non-authenticated user with admin privileges (in effect two levels of privileges for the same user with the same login and the same password) to install e.g. ICC color profiles to a folder making the profiles available to all users. So I'm an admin, and if I want to modify a folder, I have to enter my password in a pop-up authentication dialog to add/remove ICC profiles. Worse, the individual user folder for these profiles is now hidden by default. It's high order insanity.

Chris Murphy

As far as time zones and date/time settings are concerned, didn't there used to be a user-level setting for this? There's a variable for command line apps called TZ (for timezone) that can be set at the individual user's level, but apparently graphical applications don't obey this variable. I don't know about date/time itself, though.

For printers, currently installing printers does not require superuser privileges, but managing those printers installed by that user does. Is it possible to make it so that printers installed by that user can be managed by the user without superuser authentication?
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux