On Fri, Jul 20, 2007 at 10:54:16AM -0400, Horst H. von Brand wrote: > > > Nope. If it has to be installed/configured/managed by root, it is system > > > software, regardless of it being the kernel or a game. The stuff in > > > $HOME is yours to mess around with. > > You mean "by root", or "by a process with root privileges"? Because that's a > > whole different question. > No, it isn't. Not really. Sure it is, because the later can be controlled by policy. > > "Foo kind of packages" from an approved repository of > > cryptographically-signed rpms. > Checked by whom for sanity? Who decides which ones can be installed and Fedora. > which ones can't (e.g., chat style applications are banned here, other > places will disallow all games, ...)? If the user decides freely, she's > root for all purposes. If there is any policy on what to install and > what not, she can't be allowed to install stuff, period. Hence the ability to define policy. But can you elaborate more on "root for all purposes"? I'm not aware of any programs in Fedora which, when installed, make a user root. Barring any security holes, of couse. One still wouldn't be able to start or configure services without further authorization. > Besides, you very well can set up a sudo(1) entry that allows Jane > R. User to run *only* yum with designated repositories. I just fail to If you're limiting to installation, sure. But more fine-grained control than repository level might be desirable. > see why such (local policy) has to be integrated into the system, when > it is not universally required (or even wanted). Remember: Unix > philosophy is having tools that do one thing, and do it well. Leave the > infinite combinations in the capable hands of the user. This is a good argument *for* the idea. > Managing a computer isn't trivial, if the users don't know how to do it > right, better keep their hands in the pockets. Random stuff installed by > (well-meaning) users or random passers-by caused inmense grief here with > Windows, until we just gave the users restricted accounts. Users can currently install whatever random stuff they want in their home directories. They can build their own local versions of network clients and then fail to upgrade them to fix security flaws. Much better to allow them to install selected programs from the official Fedora repository. -- Matthew Miller mattdm@xxxxxxxxxx <http://mattdm.org/> Boston University Linux ------> <http://linux.bu.edu/> -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
