Initial draft of privilege escalation policy
Matthias Clasen
mclasen at redhat.com
Wed Jan 20 18:20:27 UTC 2010
On Wed, 2010-01-20 at 10:06 -0800, Adam Williamson wrote:
> It's just not been implemented yet. PolicyKit certainly allows for this
> level of flexibility, though, and the desktop team plan to use it, as
> Matthias says. An 'administrators' group will be defined which can do
> quite a lot of the things that are restricted by this policy, and you'll
> be able to add user accounts to it. Those users will be able to perform
> those actions either with no additional authorization or by
> authenticating as themselves (rather than root). This isn't at all
> implemented yet, though, even in Rawhide.
>
It is largely implemented, actually, even in F12. To see it in action,
install polkit-desktop-policy, which adds two Unix groups and associates
policykit policies with it. Then join one of the groups to make the
policies apply to yourself. The group names are desktop_admin_r and
desktop_user_r.
The one reason why we've held off on pushing this further is that we are
lacking the user account tool that lets use nicely manage these
groups/profiles. For that, see
http://www.fedoraproject.org/wiki/Features/UserAccountDialog
More information about the test
mailing list