[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#566586: policykit-1: Please ship with a new empty group granted all permissions on console

On Sun, Jan 24, 2010 at 02:54:07AM +0100, Michael Biebl wrote:
> On 24.01.2010 00:39, Josh Triplett wrote:
> > Package: policykit-1
> > Version: 0.96-1
> > Severity: wishlist
> > 
> > policykit-1 supports specifying permissions for groups, not just
> > individual users.
> > 
> > Thus, please consider shipping policykit-1 with a .pkla file granting
> > all permissions (when on the console) to a new empty group.
> > The administrator can add users to this group to let them authenticate
> > via policykit without a password.
> > 
> > (Arguably, users in the "sudo" group, as root-equivalent users, ought to
> > have this permission, but it seems safest to have a unique group
> > specific to policykit-1.)
> I agree that something like this would be nice.
> Ubuntu traditionally uses a system group "admin" for this kind of purpose.
> Maybe this concept of a global group of "priviledged" is something we might want
> in Debian as well and warrrants some wider discussion?

Quite possibly.  I don't think it makes sense to introduce such a
concept without it meaning "root-equivalent", though; otherwise, it
becomes very difficult to figure out whether members of that group
should have any particular permission.  Saying that the group should
mean "root-equivalent" means it ought to have any and all permissions,
though in some cases with an additional step required before getting
dangerous ones.

I seem to recall past discussions in Debian that didn't particularly
favor the concept, though I don't recall the reasons.

> Are you interested in starting such a discussion (e.g. on debian-devel) and get
> further input on this topic from a wider audience?

Done. :)

- Josh Triplett

Reply to: