On 03/05/2012 07:13 AM, Scott Doty wrote: > On 03/02/2012 04:16 AM, Tim Waugh wrote: >> Yes, it's a policy. >> >> Also see this bug which I filed nearly two years ago on just this >> subject: >> https://bugzilla.redhat.com/show_bug.cgi?id=596711 >> >> Tim. >> */ >> > > New bug report filed: "security policy: root password needed when it > shouldn't be". > > https://bugzilla.redhat.com/show_bug.cgi?id=799988 > /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf Regarding this situation: turns out that if system-config-printer doesn't establish proper contact with cups-pk-helper, it will fall back to a mode that pops up the root password dialogue. In one case, this was an SELinux issue, where the root dialogue would show up until setenforce 0. In my case here: http://ponzo.net/PolKit-printer/ I didn't have SELinux enabled, but I suspect foul play from the firewall. (I haven't had a chance to birddog this any further, as I'm recovering from the worst cold I've ever had in my life -- energy has been waxing and waining.) But regarding the security _policy_ for adding the networked printer: it is fine. When everything is working as it is supposed to, and the user is in the "wheel" group, there is no query for the root password. It was subtle bugs in the implementation that we were up against. * * * There is another matter -- regarding Fedora security policy itself. There doesn't seem to be one except an implicit BCP, as implemented in each package. If anything, a policy document would have helped in this case, because the upstream for cups-pk-helper had said that this was a Fedora policy issue...it would have been handy to visit a policy document and see that folks in the "wheel" group should be able to add printers without root authentication. Additionally, it would have been helpful to know that the system had been tested, and worked, as stated in the policy. There was some confusion about whether or not asking for the root password was a limitation in the implementation. (As it turns out, the system was falling back to a mode that required the root password, after failing to carry out the policy via cups-pk-helper.) The FESCo ticket that was opened on my behalf was based on the idea that we were confronting a policy decision, not bugs -- and the idea was to have "whomever reviews security policy" do a review of these password dialogues to see if any could be eliminated, esp. the root password dialogue that kicked off this issue. There is a "Privilege escalation policy" that can be found here: http://fedoraproject.org/wiki/Privilege_escalation_policy This names the qa group as the group to check implementations of policy -- and names the Fedora Steering Committee as the group to review new privilege escalation policies. If there is no objection, I'd like to ask if someone could close https://fedorahosted.org/fesco/ticket/816 . Another ticket can be spawned if there is consensus that change in security policy review is needed. A hearty "thank you" to everybody who helped. :) -Scott -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
