Once upon a time, Richard Hughes hughsient@gmail.com said:
If you're not shipping custom PolicyKit rules then at the moment normal users can, without authentication:
- Grant high priority scheduling to a user process
I have complained about this.
- Connection sharing via a protected WiFi network
Only if the NetworkManager daemon is running, right?
- Suspend the system
Again, on/off don't change system policy.
- Inhibit media detection
- Mount a device
The user mounts are locked down (noexec), right?
- Restart the system
Again, on/off don't change system policy.
- Get information about system services
Information that has always been available, right?
- Install debuginfos using abrt
Didn't know about this one; another thing that should be changed by default.
- Enroll new fingerprints
That's along the lines of "change their password", which is reasonable (unless this is giving elevated access to those fingerprints).