Privilege escalation policy and desktop_admin_r

Adam Williamson awilliam at
Thu May 27 15:23:57 UTC 2010

On Thu, 2010-05-27 at 09:49 -0400, Matthias Clasen wrote:
> On Thu, 2010-05-27 at 12:01 +0100, Tim Waugh wrote:
> > I have a question about how our privilege escalation policy interacts
> > with the desktop_admin_r group.
> > 
> > Is a member user of desktop_admin_r considered an "unprivileged user"?

> No, he or she is considered privileged.

Right. Due to the discussions on the draft of this policy it contains
this rather ugly paragraph providing specific definitions here:

"Authentication via provision of the root password always counts as
administrative authentication. In the case of mechanisms such as sudo
which allow authentication with a user's own password to grant root
privileges, this form of authentication can be considered administrative
authentication when so configured by the system administrator. In the
case of an approved Fedora spin which automatically grants
administrative privileges to the first created user account,
authentication as that user can be considered administrative
authentication; the same applies to any user account subsequently
granted those privileges by the system administrator."

The relevant bit here is the last sentence, which was intended to cover
the whole desktop_admin_r stuff. Let me know if it's factually off.
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org

More information about the devel mailing list