root password considered harmful, and other security policies. (was Re: Torvalds:requiring root password for mundane things is moronic

Tim Waugh twaugh at
Thu Mar 8 09:33:40 UTC 2012

On Wed, 2012-03-07 at 11:05 -0800, Scott Doty wrote:
> /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf
> Regarding this situation: turns out that if system-config-printer
> doesn't establish proper contact with cups-pk-helper, it will fall back
> to a mode that pops up the root password dialogue.

Some more about this: what you are actually seeing is the IPP
authentication dialog, i.e. the same authentication mechanism you would
use if cups-pk-helper were not installed or if you were configuring a
remote CUPS server.

Although the default username that s-c-printer puts in there is root,
that's just because CUPS requires the root user for remote admin.  CUPS
can be configured to allow e.g. anyone in the wheel group to admin
instead.  It's not clear whether I should make that configuration change
or not.  It's also not clear what the policy for this is, or who to ask,
or whether anyone actually has any clear overview of what the security
policies are for Fedora and how that might differ in each spin etc.

> The FESCo ticket that was opened on my behalf was based on the idea that
> we were confronting a policy decision, not bugs -- and the idea was to
> have "whomever reviews security policy" do a review of these password
> dialogues to see if any could be eliminated, esp. the root password
> dialogue that kicked off this issue.  There is a "Privilege escalation
> policy" that can be found here:

...except that the primary author of that document told me this month
that it is only a draft and can be ignored¹.  In any case it seems to
make no distinction between a user logged in remotely and one sat in
front of the machine.

In that document you can clearly see where the current cups-pk-helper
policy came from, especially here:

"* Add, remove, or downgrade any system-wide application or shared
resource (packaged or otherwise)"


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the devel mailing list