Bug#566586: policykit-1: Please ship with a new empty group granted all permissions on console
On Sun, Jan 24, 2010 at 02:54:07AM +0100, Michael Biebl wrote:
> On 24.01.2010 00:39, Josh Triplett wrote:
> > Package: policykit-1
> > Version: 0.96-1
> > Severity: wishlist
> > policykit-1 supports specifying permissions for groups, not just
> > individual users.
> > Thus, please consider shipping policykit-1 with a .pkla file granting
> > all permissions (when on the console) to a new empty group.
> > The administrator can add users to this group to let them authenticate
> > via policykit without a password.
> > (Arguably, users in the "sudo" group, as root-equivalent users, ought to
> > have this permission, but it seems safest to have a unique group
> > specific to policykit-1.)
> I agree that something like this would be nice.
> Ubuntu traditionally uses a system group "admin" for this kind of purpose.
> Maybe this concept of a global group of "priviledged" is something we might want
> in Debian as well and warrrants some wider discussion?
Quite possibly. I don't think it makes sense to introduce such a
concept without it meaning "root-equivalent", though; otherwise, it
becomes very difficult to figure out whether members of that group
should have any particular permission. Saying that the group should
mean "root-equivalent" means it ought to have any and all permissions,
though in some cases with an additional step required before getting
I seem to recall past discussions in Debian that didn't particularly
favor the concept, though I don't recall the reasons.
> Are you interested in starting such a discussion (e.g. on debian-devel) and get
> further input on this topic from a wider audience?
- Josh Triplett