Torvalds:requiring root password for mundane things is moronic

Adam Williamson awilliam at redhat.com
Fri Mar 2 21:39:17 UTC 2012 

On Fri, 2012-03-02 at 10:18 -0500, Matthias Clasen wrote:
> On Thu, 2012-03-01 at 21:53 -0800, Adam Williamson wrote:
> 
> > 
> > In case anyone's wondering what that actually does, here's what I can
> > figure out.
> > 
> > What it does directly is to add the user to the 'wheel' group. I'm not
> > sure what all the consequences of that are, but there's two I've been
> > able to find. The first is that the default /etc/sudoers allows people
> > in the wheel group to run any command as root, which is great and all,
> > but we don't use sudo for anything at the desktop level, so it really
> > only affects people who run sudo from the console.
> > 
> > The other thing it does, if I'm reading stuff right, is that users in
> > the wheel group are considered 'admins' by PolicyKit. That's good. Now
> > as to what that means, I'm not 100% sure, but I *think* what it means is
> > that for any action which would require a non-admin user to authenticate
> > as root, an admin user can authenticate as themselves. i.e. instead of a
> > root password dialog, you'd get a your-own-password dialog. I might be
> > off base there, though, and if I am I'm sure someone smarter will
> > correct me. :)
> 
> No, you pretty much nailed it.

I guess the next step, then, besides fixing these bugs with admin group
handling that people have started reporting in this thread, would be to
consider if re-authentication actually makes any sense to many of these
actions. Couldn't we just let users in the admin group go ahead and do
things like printer configuration without having to re-enter their own
password? Do we have a solid basic theory about when re-authentication
should be asked for, or is it more the case right now that no-one's
really thought too hard about this stuff lately and it's one of those
things that's considered to 'work well enough' and people are spending
time on 'more important' things?
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

More information about the devel mailing list