Re: [RFC] disabled root account / distinct group for users with administrative privileges
On Tue, Nov 02, 2010 at 05:47:45PM +0000, Ian Jackson wrote:
> Guido Günther writes ("Re: [RFC] disabled root account / distinct group for users with administrative privileges"):
> > Imho we should use diffrent groups for PolicyKit and sudo. d-i would
> > need to add the user to two groups then but it would allow for polkit
> > and sudo only configurations:
>
> Why should we use different groups ? I'm not familiar with PolicyKit,
> but does it provide equivalent access to sudo ? If it does, why would
> admins often want to provide one path but not the other ?
PolicyKit has the concept of AdminIdentities that can be used to
authenticate whenever administrator authentication is required. If a
certain action requires auth_admin or not is governed by the policy.
If we only want to add rootlike access (which is of course required if
the root account is diabled) we could use the same group for sudo and
polkit but if we want to go further by e.g. not prompting for a password
for certain actions we should use a different role (group) to
differentiate this.
So we should make it very clear to the user that the groups sole purpose
is to replace the functionality of the disabled root account and nothing
else. Something like "root-equiv" comes to mind. Things like "admin"
sound to generic.
Cheers,
-- Guido
Reply to: