Michael Biebl wrote: > On 20.11.2011 19:30, Luca Capello wrote: >> Perfectly fine for me, but IMHO policykit is abusing sudo, given that >> with /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf pkexec >> grants any privilege to members in the sudo group *without* checking if >> this group is actually allowed in /etc/sudoers* (this *is* a bug): > > This was discussed before the squeeze release. We were looking for a > mechanism how we could grant administrative privileges to users (eg. if > installed with a disabled root account). > We decided to use a group for this purpose. I personally favored to use > group "admin", but due to various reasons (similarity to adm, etc) we > finally agreed to use group sudo for that. We, that included the sudo > maintainer. > > So, I fail to see how you consider this abusing sudo.
I'm sure the decision was made for good reasons; but the upshot is that policykit made the pre-existing sudo group unconditionally root-equivalent in Stable with no warning to the sysadmins who may have been using it for some other function (such as, say, to grant only-slightly-trusted users the right to run housekeeping scripts out of /usr/local/sbin). I would have thought this change might have merited a mention in the release-notes, or in a NEWS.Debian file for policykit-1 v0.96-4, or in a comment in /etc/sudoers... It's a bit late now, but if you're thinking of allowing any further creep in these privileges, please remember to document it somewhere. -- JBR For trifling occasions it is better to accomplish things simply by yelling - "Hagakure", Yamamoto Tsunetomo (1716) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org