On Wed, 2012-03-07 at 11:05 -0800, Scott Doty wrote: > /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf > > Regarding this situation: turns out that if system-config-printer > doesn't establish proper contact with cups-pk-helper, it will fall back > to a mode that pops up the root password dialogue. Some more about this: what you are actually seeing is the IPP authentication dialog, i.e. the same authentication mechanism you would use if cups-pk-helper were not installed or if you were configuring a remote CUPS server. Although the default username that s-c-printer puts in there is root, that's just because CUPS requires the root user for remote admin. CUPS can be configured to allow e.g. anyone in the wheel group to admin instead. It's not clear whether I should make that configuration change or not. It's also not clear what the policy for this is, or who to ask, or whether anyone actually has any clear overview of what the security policies are for Fedora and how that might differ in each spin etc. > The FESCo ticket that was opened on my behalf was based on the idea that > we were confronting a policy decision, not bugs -- and the idea was to > have "whomever reviews security policy" do a review of these password > dialogues to see if any could be eliminated, esp. the root password > dialogue that kicked off this issue. There is a "Privilege escalation > policy" that can be found here: > > http://fedoraproject.org/wiki/Privilege_escalation_policy ...except that the primary author of that document told me this month that it is only a draft and can be ignored¹. In any case it seems to make no distinction between a user logged in remotely and one sat in front of the machine. In that document you can clearly see where the current cups-pk-helper policy came from, especially here: "* Add, remove, or downgrade any system-wide application or shared resource (packaged or otherwise)" Tim. */ ¹ https://bugzilla.redhat.com/show_bug.cgi?id=596711#c16
Attachment:
signature.asc
Description: This is a digitally signed message part
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
