systemd requires HTTP server and serves QR codes
Toshio Kuratomi
a.badger at gmail.com
Tue Oct 9 19:14:31 UTC 2012
On Tue, Oct 09, 2012 at 08:17:41PM +0200, Lennart Poettering wrote:
> On Tue, 09.10.12 10:31, Matthew Miller (mattdm at fedoraproject.org) wrote:
>
> > On a related but tangental note: I notice that journalctl allows access to
> > members of the admin group by default.
>
> Well, I'd say this differently: we _restrict_ access to "adm", in
> contrast to the previous logic where everybody was allowed to read
> /var/log/messages and only root /var/log/secure.
>
[snip]
> than the Fedora default of world-readability of logs, from a security
> PoV.
>
A bit of a tangent but.... AFAICT, /var/log/messages has been 0600 root:root
for quite a while. So it's more correct to talk about how changes have
opened up /var/log/messages to a group than how it's closed off a world
readable file. Do your fresh installs show something different?
> > Could we make that a default on Fedora in addition to adm? (I assume this is
> > polkit but can't see it offhand -- hmmm... looks to be hard-coded in the
> > source?) I don't really have a strong opinion about whether adm should work
> > or not, but wheel should.
>
> Well, we could of course add this as ACL, but I wonder if it wouldn't be
> nicer to declare that "adm" is for seeing, and "wheel" for doing as I
> suggested above.
>
If so... usually people want to look at doing as a superset of seeing. We
talk about read-only vs read-write a lot more than read-only vs write-only.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20121009/e10152d7/attachment.sig>
More information about the devel
mailing list