systemd requires HTTP server and serves QR codes
Lennart Poettering
mzerqung at 0pointer.de
Tue Oct 9 18:34:29 UTC 2012
On Tue, 09.10.12 14:26, Simo Sorce (simo at redhat.com) wrote:
> On Tue, 2012-10-09 at 20:17 +0200, Lennart Poettering wrote:
> > > Could we make that a default on Fedora in addition to adm? (I assume
> > this is
> > > polkit but can't see it offhand -- hmmm... looks to be hard-coded in
> > the
> > > source?) I don't really have a strong opinion about whether adm
> > should work
> > > or not, but wheel should.
> >
> > Well, we could of course add this as ACL, but I wonder if it wouldn't
> > be
> > nicer to declare that "adm" is for seeing, and "wheel" for doing as I
> > suggested above.
> >
> What's the point of 2 different groups ?
>
> We have filesystem permissions to determine what a user/group can do,
> plus we have selinux on top to enforce in a different way some of these
> policies.
>
> What does 2 different groups give you besides confusion ?
Safety? Robustness?
For example, by adding people to "adm" you can allow them to monitor
machines, but when something happens and they want to do things they'd
have to go through "sudo" or "su", thus adding a psychological barrier
so that they don't break things... That means they can watch the machine
just fine, but "rm -rf /" when doing that will have no effect. But they
still can do priviliged things if they feel the need to, after auth.
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the devel
mailing list