On Mon, 2009-05-04 at 23:57 +0200, Martin Pitt wrote: > Fredrik Tolf [2009-05-04 21:37 +0000]: > > Just in case I wasn't clear enough, my argument is this: Without > > PolicyKit, I had to take explicit action in order to grant privileges to > > users, while with PolicyKit, I have to take explicit action in order to > > *not* grant privileges to users. > > That's not an inherent property of PK vs. groups, but a matter of > default configuration. E. g. the installer used to put the default > user into plugdev, powerdev, etc., and users-admin (from > gnome-system-tools) did similar things for a "desktop user".
Both of those are special cases explicitly designed for usability with weaker security, though. I use neither. > The job of us as a distro is to provide a sensible default > configuration which provides a good balance between security and > usability. Arguably so, but how do you define what is sensible? In my mind, PolicyKit's defaults seem sensible only for desktop setups, which aren't the only places in which HAL is being used. I've used it both in workstation-class setups and "embedded" special purpose setups (such as a music player computer, where I used it to detect USB storage with media files on), where it cannot reasonably be argued that local users should be granted all those privileges by default. I don't think that it should be assumed that all Debian machines are desktop machines. That's what Ubuntu is for, if you ask me. And apart from that, it would be nice to at least be *able* to create unprivileged users, which you cannot do with PK's defaults. For that matter, it is unclear what PK means by "auth_admin", and I have yet found no documentation to explain it. Also, it is very unclear what one should do to avoid these "sensible defaults", and if they cannot be avoided, then they aren't just "defaults". > For example, it doesn't make much sense to deny access to > an USB camera or scanner to an user at a local console; he has > physical access to those devices, after all. Quite possibly so, but I would expect to be able to leave a USB thumbdrive in the computer and not risk it being written to by any local user who you haven't given any particular privilege to otherwise read it (unlike e.g. pmount, which requires users to be part of the plugdev group). Of course he'd be able to steal it and plug it into some other computer if he has local access, but at least that would be noticed. > Thus I am very much against making PK optional. It will only aggravate > the confusion, since there will be systems which use PK and some which > don't. Well, yeah, there will. I must admit that I don't see the problem with that. There are systems which use NIS, and other which don't. > History showed that device access privileges can't be sensibly > mapped to and maintained with static group membership, so we should > settle to _one_ system of verifying privileges, also to be compatible > with the rest of the world. Maybe, maybe not. I, for one, never had any problems with the static group membership solution, so I can't really say that "history has showed that it cannot be done"... Furthermore, it is precisely *because* there should be exactly one system of verifying privileges that I oppose PK, because POSIX already defines that system. With PK there are two systems, and even worse, any given user gets the union, not the intersection, of the privileges granted by each. If it were the intersection, I wouldn't object. This way, as I've said, users are getting granted privileges without me even knowing it. How about creating a special group for all users that can have privileges granted by PK? As for being compatible with the rest of the world, I resent that statement. There are different distros because not everyone wants to use the exact same thing. > To be fair, I had very similar feelings like you when I heared about > PK the first time, since it seemed to be that ominous new thing which > opened root holes in the background. :-) I don't mean to sound offensive, but why did you change your mind? Surely it wasn't just to be like everyone else? > Just my € 0.02, Since I resent the usage of fiat currency, please accept my 1 mg of gold in return. :) Fredrik Tolf -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org