Torvalds:requiring root password for mundane things is moronic

Fri Mar 2 11:21:54 UTC 2012

On Fri, Mar 2, 2012 at 2:12 AM, Chris Murphy <lists at colorremedies.com>wrote:

>
> On Mar 1, 2012, at 10:53 PM, Adam Williamson wrote:
>
> > On Thu, 2012-03-01 at 17:43 -0500, Adam Jackson wrote:
> >> On Thu, 2012-03-01 at 16:39 -0500, Daniel J Walsh wrote:
> >>
> >>> I believe Fedora 17 has an add user to admin group checkbox when
> >>> adding the initial user, not sure if it is checked on or off by
> default.
> >>
> >> Off by default (having just tried it today).
> >
> > In case anyone's wondering what that actually does, here's what I can
> > figure out.
> >
> > What it does directly is to add the user to the 'wheel' group. I'm not
> > sure what all the consequences of that are, but there's two I've been
> > able to find. The first is that the default /etc/sudoers allows people
> > in the wheel group to run any command as root, which is great and all,
> > but we don't use sudo for anything at the desktop level, so it really
> > only affects people who run sudo from the console.
> >
> > The other thing it does, if I'm reading stuff right, is that users in
> > the wheel group are considered 'admins' by PolicyKit. That's good. Now
> > as to what that means, I'm not 100% sure, but I *think* what it means is
> > that for any action which would require a non-admin user to authenticate
> > as root, an admin user can authenticate as themselves. i.e. instead of a
> > root password dialog, you'd get a your-own-password dialog. I might be
> > off base there, though, and if I am I'm sure someone smarter will
> > correct me. :)
>
> From my own experience, anything I change in the GUI that requires
> authentication, it is for user 'chris' if that user was added as an admin
> with the checkbox in the create first user steps. If that checkbox is not
> checked, any authentication dialog that appears is for user 'root'.
>
> My interpretation of Torvalds' complaint, is with the mere existence of
> authentication dialogs in the first place, for certain things. Mac OS X has
> always required authentication (from a user with "admin" privileges) for
> changing the Date/Time including time zones, which is an absurdity. In the
> most recent version, it's no longer possible for a non-authenticated user
> with admin privileges (in effect two levels of privileges for the same user
> with the same login and the same password) to install e.g. ICC color
> profiles to a folder making the profiles available to all users. So I'm an
> admin, and if I want to modify a folder, I have to enter my password in a
> pop-up authentication dialog to add/remove ICC profiles. Worse, the
> individual user folder for these profiles is now hidden by default. It's
> high order insanity.
>
> Chris Murphy
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
>

As far as time zones and date/time settings are concerned, didn't there
used to be a user-level setting for this? There's a variable for command
line apps called TZ (for timezone) that can be set at the individual user's
level, but apparently graphical applications don't obey this variable. I
don't know about date/time itself, though.

For printers, currently installing printers does not require superuser
privileges, but managing those printers installed by that user does. Is it
possible to make it so that printers installed by that user can be managed
by the user without superuser authentication?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120302/d494410f/attachment.html>