Hi, On Sat, 2009-10-31 at 14:31 +0100, [email protected] wrote: > I propose to allow admins to change settings without to enter their > password. Think about the reason the user is asked for a password. > It's not really to protect the system from evil local users, because > you always lock your desktop before you go away. The real reason is > that applications want to verify that the user wants to modify a > setting, and not a possible evil user-space software. There should be > a way to verify this without the need for the user to enter a > password.
The thing is (to use the same terms you are using) - non-evil software can easily turn evil if it gets infected. Especially with things like Adobe's flash player. And multimedia codecs. And filesystem drivers. And, in general, lots of other code reading untrusted content usually downloaded from the Internet. (And no, the fact that you are running Linux, not Windows, does not inherently make you safer here.) As such it's not really a good idea to just allow any piece of software running in your session to be able to run any command it wants through e.g. pkexec(1). So please stop pimping your proposal about allowing Action=* - it's just not very advice. Thanks. Now, it's true that on most single-user home systems anything outside $HOME is not really an interesting target (in fact, anything outside $HOME/.mozilla is probably not interesting). But allowing full system access allows for more than just stealing, say, the password to your bank - it allows the attacker to use your system, basically, whenever he feels like it. It allows him to spy on you using that nice webcam. And the microphone. Or track your location. That's why we only (should) allow "safe" things without asking for a password. Note that this includes basically everything with notable exceptions such as - Installing untrusted software (e.g. not signed by your distro) - Gaining root (e.g. 'pkexec bash') - Setting up a modem connection (needs trusted path because if anyone could do this they could set it up to call a 1-900 number and make $50 / minute from you) Note that all these things are actually things normal users should never need to do very often. Also, there is actually some work going on here, see https://www.redhat.com/archives/fedora-desktop-list/2009-August/msg00103.html for some discussion of introducing roles to deal with this problem. The long term plan is that users in the desktop_admin_r group will be able to do pretty much anything without being slowed down by password dialogs (except for the trusted path things as mentioned above). For some more thinking about this problem, also see https://bugzilla.gnome.org/show_bug.cgi?id=596260#c6 David _______________________________________________ polkit-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/polkit-devel
