On Wed, Nov 18, 2015 at 12:24 PM, Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> wrote: > On Wed, 2015-11-18 at 15:09 -0500, Adam Jackson wrote: >> On Wed, 2015-11-18 at 11:53 -0800, Andrew Lutomirski wrote: >> >> > I don't understand. If a user who has the right to act as root asks >> > to authorize a program to run as root on their behalf, we should grant >> > that request. And, once we grant it, we shouldn't be >> > passive-aggressive and say "sure you can run it, but no graphics for >> > you!". >> >> The point is, if things in Fedora require "run this bit of GUI as root" >> in order to function, we've done a poor job. That people have bad >> habits already is not sufficient justification to encourage them to >> have more. >> >> To the bug in question: probably we should make it so 'sudo gedit' does >> work, but I'd still strongly discourage anyone from actually doing so. > > ISTR seeing some work lately in gvfs or gio or something which would > allow GNOME-y things to acquire necessary perms for changes to files > via PolicyKit when necessary. > > I've always thought this would be an entirely reasonable feature. > There's no inherent security advantage in making people run a console > editor as root instead of using their preferred graphical editor, if > the graphical editor can use an appropriately restricted permission > granting mechanism to do the job. I've certainly had times where I'd > quite have liked to edit a system file with gedit rather than nano or > vi If something like Capsicum ever lands, this becomes straightforward. --Andy -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
