On Wed, 2015-04-01 at 09:09 +0200, Jakub Filak wrote: > On Tuesday 31 of March 2015 21:35:44 Michael Catanzaro wrote: > > On Tue, 2015-03-31 at 21:50 +0200, Jakub Filak wrote: > > > What about these patches: > > > > > > https://github.com/abrt/abrt/pull/946 > > > > That's exactly what I had in mind (though it would be better to > remove > > the mysterious "Other" column entirely, and just not allow viewing > the > > problems if the user doesn't have permission)... it's evil, but I > think > > it's the only way to do what we want to do. > > > > We should chat with Miloslav Trmač (mitr) about this. I've added > him to > > CC, hi Miloslav! The goal here is to use polkit to express the rule > > "local admins can perform the action without entering any > password, but > > non-admin users must enter an admin password." I think the only > way to > > do that is currently to ship custom JavaScript rules, exactly what > Jakub > > does in the above patch; that's the approach that's taken by > > gnome-control-center as well. Hardcoding the wheel group is also > not > > nice; it doesn't work at all for Debian/Ubuntu. And the folks in > SUSE > > world will just delete the .rules file when it discovers it. > > > > The polkit manual is pretty clear that applications should never do > > this: > > > > "Authorization rules are intended for two specific audiences > > > > System Administrators > > > > Special-purpose Operating Systems / Environments > > > > and those audiences only. In particular, applications, mechanisms > and > > general-purpose operating systems must never include any > authorization > > rules." > > > > However, if there's no other way, there's no other way. Any > suggestions? > > > > Actually, there is other way to allow admins view all problems > without the need to provide password. I can ignore polkit for the > wheel group members in abrt-dbus and treat them like they are > authorized via polkit, but IMHO this approach is wrose than adding a > polkit rules file.
Seconded.