= Features/UsermodeMigration = https://fedoraproject.org/wiki/Features/UsermodeMigration Feature owner(s): Harald Hoyer <harald@xxxxxxxxxx>, Kay Sievers <kay@xxxxxxxxxx>, Bill Nottingham <notting@xxxxxxxxxx> Access control of privileged operations for ordinary users should be handled exclusively by a centrally managed authority. Usermode/consolehelper should be phased out and be replaced entirely by polkit. == Detailed description == The usermode/consolehelper program is a setuid-root wrapper around a couple of system tools, providing superuser privileges to ordinary users. Its policy is controlled by text files in /etc. These days, most privileged system operations are already controlled by polkit, a well-established, fine-grained, (possibly) network-transparent service for managing privileged operations by ordinary users. Enterprise environments need to be able to centrally define access control policy for the organization, and automatically apply it to all connected workstations. * polkit can be used by privileged processes to decide if it should execute privileged operations on behalf of the requesting user. For directly executed tools, polkit provides a setuid-root helper program called ‘’pkexec’’.The hooks to ask the user for authorizations are well-integrated into text environments, and native in all major graphical environments. * The concept of a ''console user'' (that usermode/consolehelper implements) is no longer a sufficient concept to derive privileges from. OTOH polkit authorizations can properly distinguish between multiple active sessions and seats: e.g. an untrusted user’s reboot request is only granted if only a single user session runs at that time. Btw. this Feature was already accepted for Fedora 18 and it's continuous effort spread over several releases. _______________________________________________ devel-announce mailing list devel-announce@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel-announce -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
