Privilege escalation policy and desktop_admin_r

Adam Williamson awilliam at
Thu May 27 16:02:37 UTC 2010

On Thu, 2010-05-27 at 16:53 +0100, Tim Waugh wrote:
> On Thu, 2010-05-27 at 08:23 -0700, Adam Williamson wrote:
> > The relevant bit here is the last sentence, which was intended to cover
> > the whole desktop_admin_r stuff. Let me know if it's factually off.
> Seeing as desktop_admin_r is actually part of the default spin, can we
> add some text which explicitly exempts users in that group from the
> privilege escalation policy?
> In other words, can we say something along the lines of "it's fine for
> the default spin to ship policykit files allowing desktop_admin_r users
> to do stuff without passwords being required"?

That's exactly what the paragraph already says, except in a more general
way so it isn't particular to any specific implementation.

"In the case of an approved Fedora spin which automatically grants
administrative privileges to the first created user account,
authentication as that user can be considered administrative
authentication; the same applies to any user account subsequently
granted those privileges by the system administrator."

This is meant to mean (:>) that it's fine for a spin to give the first
created user admin privileges they can use without further
authentication, and that it's fine for other accounts to be properly
granted such privileges. Is there something desktop_admin_r is doing
that's not captured there?
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org

More information about the devel mailing list