Bug 688363
| Summary: | Administrator SNAFU | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Zeuthen <davidz> | ||||
| Component: | distribution | Assignee: | Bill Nottingham <notting> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Bill Nottingham <notting> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 15 | CC: | dcantrell, mclasen, notting, rvokal | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | polkit-0.101-3.fc15 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-03-22 03:49:54 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
David Zeuthen
2011-03-16 21:27:15 UTC
We can do one of two things
1. change GNOME accounts dialog (and its system D-Bus service) and the
polkit-desktop-policy pakcage to use the wheel group instead of
desktop_admin_r
2. change firstboot to use desktop_admin_r
(Also, it's worth nothing that consolehelper isn't picking up the sudo stuff so it will continue to ask you for the root password...)
Btw, my suggestion would be to do 1. - it's just simpler and works out of the box... But.. there's the risk that some people might be upset that member of 'wheel' means that some system administration tasks (like updating the system with trusted signed OS vendor packages from a local console) can be carried out without authentication. But these people can of course override AdminIdenties by dropping a file in /etc/polkit-1/localauthority.conf.d/ ... Created attachment 485855 [details]
0001-Use-desktop_admin_r-group-for-admin-users-688363.patch
Is there any reason we can't do both? The attached patch would put the user into both groups.
Well, you'd still have accountsservice only touching desktop_admin_r. Note that overriding AdminIdentities breaks accountsservice/control-center, unless I'm misreading the code. (https://bugs.freedesktop.org/show_bug.cgi?id=35368) (In reply to comment #3) > Created attachment 485855 [details] > 0001-Use-desktop_admin_r-group-for-admin-users-688363.patch > > Is there any reason we can't do both? The attached patch would put the user > into both groups. What happens if someone goes into the GNOME account tool and changes the type from "Administrator" to "Standard"? I mean, the user will no longer be in desktop_admin_r but will still be in wheel... which I think is too surprising and confusing... It's much easier if we only have a single bit for "user is admin" (in the default install). Historically that bit has been the 'wheel' group (more or less).. it would be nice to just keep using that group for the polkit stuff. (It would probably be helpful to study in detail how the 'wheel' group has been used and what expectations there are to the group...) Talked to mclasen this morning and decided to work on patches for accountsservice, control-center and polkit-desktop-policy to switch to use the wheel group instead of the desktop_admin_r and desktop_user_r group. (Btw, in the process we will nuke the "Supervised" account type from GNOME's accounts panel as well (since nothing is currently using it - it has no effect and is therefore misleading to the user).) accountsservice patch: https://bugs.freedesktop.org/show_bug.cgi?id=35390 control-center patch: https://bugzilla.gnome.org/show_bug.cgi?id=645025 polkit changes are here: http://pkgs.fedoraproject.org/gitweb/?p=polkit.git;a=commitdiff;h=9fa422d5441f0d06e0b1d992cc3c270bc2c35c70 polkit build here: http://koji.fedoraproject.org/koji/taskinfo?taskID=2920142 When we have accountsservice and control-center packages, I'll file an update for all three packages. Thanks. (In reply to comment #9) > polkit build here: http://koji.fedoraproject.org/koji/taskinfo?taskID=2920142 > > When we have accountsservice and control-center packages, I'll file an update > for all three packages. Thanks. Updated polkit build that fixes a typo pointed out by Bill: http://koji.fedoraproject.org/koji/taskinfo?taskID=2920175 polkit-0.101-3.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/polkit-0.101-3.fc15 polkit-0.101-3.fc15, accountsservice-0.6.6-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |