On 10/09/2012 11:34 AM, Lennart Poettering wrote: > On Tue, 09.10.12 14:26, Simo Sorce (simo@xxxxxxxxxx) wrote: > >> On Tue, 2012-10-09 at 20:17 +0200, Lennart Poettering wrote: >>> Well, we could of course add this as ACL, but I wonder if it wouldn't >>> be >>> nicer to declare that "adm" is for seeing, and "wheel" for doing as I >>> suggested above. >>> >> What's the point of 2 different groups ? >> >> We have filesystem permissions to determine what a user/group can do, >> plus we have selinux on top to enforce in a different way some of these >> policies. >> >> What does 2 different groups give you besides confusion ? > > Safety? Robustness? > > For example, by adding people to "adm" you can allow them to monitor > machines, but when something happens and they want to do things they'd > have to go through "sudo" or "su", thus adding a psychological barrier > so that they don't break things... That means they can watch the machine > just fine, but "rm -rf /" when doing that will have no effect. But they > still can do priviliged things if they feel the need to, after auth. Just on the naming, I'd rather steer clear of the actual concept, let me get this straight: You want a group called "adm", presumably short for "administrator", the point of which is that it can view system things, but not actually *administer* them? Why on Earth call it "adm"? -- J. Randall Owens | http://www.ghiapet.net/ -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
