Initial draft of privilege escalation policy

Adam Williamson awilliam at
Wed Jan 20 18:59:43 UTC 2010

On Wed, 2010-01-20 at 13:20 -0500, Matthias Clasen wrote:
> On Wed, 2010-01-20 at 10:06 -0800, Adam Williamson wrote:
> > It's just not been implemented yet. PolicyKit certainly allows for
> this
> > level of flexibility, though, and the desktop team plan to use it,
> as
> > Matthias says. An 'administrators' group will be defined which can
> do
> > quite a lot of the things that are restricted by this policy, and
> you'll
> > be able to add user accounts to it. Those users will be able to
> perform
> > those actions either with no additional authorization or by
> > authenticating as themselves (rather than root). This isn't at all
> > implemented yet, though, even in Rawhide.
> > 
> It is largely implemented, actually, even in F12. To see it in action,
> install polkit-desktop-policy, which adds two Unix groups and
> associates
> policykit policies with it. Then join one of the groups to make the
> policies apply to yourself. The group names are desktop_admin_r and
> desktop_user_r. 
> The one reason why we've held off on pushing this further is that we
> are
> lacking the user account tool that lets use nicely manage these
> groups/profiles. For that, see

Ooh! Hidden awesomeness! Very neat. Thanks for the correction.
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org

More information about the test mailing list