On Fri, 2012-03-02 at 10:18 -0500, Matthias Clasen wrote: > On Thu, 2012-03-01 at 21:53 -0800, Adam Williamson wrote: > > > > > In case anyone's wondering what that actually does, here's what I can > > figure out. > > > > What it does directly is to add the user to the 'wheel' group. I'm not > > sure what all the consequences of that are, but there's two I've been > > able to find. The first is that the default /etc/sudoers allows people > > in the wheel group to run any command as root, which is great and all, > > but we don't use sudo for anything at the desktop level, so it really > > only affects people who run sudo from the console. > > > > The other thing it does, if I'm reading stuff right, is that users in > > the wheel group are considered 'admins' by PolicyKit. That's good. Now > > as to what that means, I'm not 100% sure, but I *think* what it means is > > that for any action which would require a non-admin user to authenticate > > as root, an admin user can authenticate as themselves. i.e. instead of a > > root password dialog, you'd get a your-own-password dialog. I might be > > off base there, though, and if I am I'm sure someone smarter will > > correct me. :) > > No, you pretty much nailed it. I guess the next step, then, besides fixing these bugs with admin group handling that people have started reporting in this thread, would be to consider if re-authentication actually makes any sense to many of these actions. Couldn't we just let users in the admin group go ahead and do things like printer configuration without having to re-enter their own password? Do we have a solid basic theory about when re-authentication should be asked for, or is it more the case right now that no-one's really thought too hard about this stuff lately and it's one of those things that's considered to 'work well enough' and people are spending time on 'more important' things? -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
