On Tue, Jan 15, 2013 at 3:00 AM, Rich Freeman <ri...@gentoo.org> wrote: > On Tue, Jan 15, 2013 at 5:25 AM, Kevin Chadwick <ma1l1i...@yahoo.co.uk> wrote: >> >> I still ascert that apps adding groups with NOPASSWD sudoers lines >> perhaps even commented out by default in all or some cases is far >> better than polkit for many reasons. Any counter argument can apply >> to sudo too and rather easily. >> > > I think you need to consider the use case for polkit and such. I > believe they were focused on linux on the desktop. Imagine you have > 10,000 users running linux on the desktop. Anybody can log into any > PC. Do you want anybody to be able to remote login to any PC and > access the webcam and audio, or access local USB drives and such > (which do not have POSIX security applied to their filesystems)? > Unless sudo has some config setting that allows access only when > logged in via console it isn't really a solution. > > Rich >
I manage 'thousands' of desktops at Google and we generally like polkit. It is however, designed for graphical UI single-seat systems. Its command line support sucks (they only added a CLI auth agent in May) and it is not well adopted. Multi-user systems do not work well with polkit. Certainly with polkit and dbus you can allow users to take more specific action without complex wrappers, setuid scripts, or sudo. My package manager can have a polkit action like 'install a signed package' and I can grant the user access to do that, but not access to install unsigned packages (root exploit there...) or run other dangerous apt commands. It comes built into apt, so I don't have to write extra wrappers. I don't recommend letting anyone log into any desktop, from a security policy POV :) -A