Re: [RFC] disabled root account / distinct group for users with administrative privileges

[Josselin Mouette <joss@debian.org>]

Le mardi 19 octobre 2010 à 09:58 +0100, Philip Hands a écrit :
> > For PolicyKit, I can now simply ship a file, say
> > /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf which contains:
> > 
> > [Configuration]
> > AdminIdentities=unix-group:sudo
> 
> I would object to 'sudo' being a group of people that can simply become
> root if they happen to be logged in -- is that what the PolicyKit
> incantation would allow?

No, it leads to them being able to do PolicyKit actions (such as
formatting a disk or changing a system default) that require root
privileges, with entering their own password. Just as sudo does without
NOPASSWD.

Cheers,
-- 
 .''`.
: :' :     “You would need to ask a lawyer if you don't know
`. `'       that a handshake of course makes a valid contract.”
  `-        --  J???rg Schilling