systemd requires HTTP server and serves QR codes
Simo Sorce
simo at redhat.com
Tue Oct 9 19:11:57 UTC 2012
On Tue, 2012-10-09 at 20:34 +0200, Lennart Poettering wrote:
> On Tue, 09.10.12 14:26, Simo Sorce (simo at redhat.com) wrote:
>
> > On Tue, 2012-10-09 at 20:17 +0200, Lennart Poettering wrote:
> > > > Could we make that a default on Fedora in addition to adm? (I assume
> > > this is
> > > > polkit but can't see it offhand -- hmmm... looks to be hard-coded in
> > > the
> > > > source?) I don't really have a strong opinion about whether adm
> > > should work
> > > > or not, but wheel should.
> > >
> > > Well, we could of course add this as ACL, but I wonder if it wouldn't
> > > be
> > > nicer to declare that "adm" is for seeing, and "wheel" for doing as I
> > > suggested above.
> > >
> > What's the point of 2 different groups ?
> >
> > We have filesystem permissions to determine what a user/group can do,
> > plus we have selinux on top to enforce in a different way some of these
> > policies.
> >
> > What does 2 different groups give you besides confusion ?
>
> Safety? Robustness?
>
> For example, by adding people to "adm" you can allow them to monitor
> machines, but when something happens and they want to do things they'd
> have to go through "sudo" or "su", thus adding a psychological barrier
> so that they don't break things... That means they can watch the machine
> just fine, but "rm -rf /" when doing that will have no effect. But they
> still can do priviliged things if they feel the need to, after auth.
you can do the same by allowing sudo cat /var/log/message without
password and requiring the password for anything else.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the devel
mailing list