On Thu, 2012-11-15 at 02:10 +0100, Lennart Poettering wrote: > On Sat, 10.11.12 09:26, Richard W.M. Jones (rjo...@redhat.com) wrote: > > > On Sat, Nov 10, 2012 at 02:33:53AM +0100, Kevin Kofler wrote: > > > Matthew Miller wrote: > > > > Apparently the new version of polkit brings in javascript. The js > > > > package > > > > is 6.5MB. I think anything that uses polkit will depend on it -- can we > > > > remove it from core? > > > > > > Of course, the real question is why the heck PolicyKit needs a Turing- > > > complete rule language (which also forced everyone to port their existing > > > rules) when the previously-used simple INI-style pkla rule format did the > > > job just fine! > > > > And Unix groups worked OK before that (and still do for the majority > > of purposes). > > OK, I'll bite. So: Did they really? > > If you want to allow a user to execute a specific privileged operation > once (let's say format a USB stick), and you grant him group membership > for that, then he can drop a SETGID binary for that group somewhere and > will have the permission forever. Effectively, you can never take group > membership away.
Not saying that groups are always the best option, but I am always amused by this permanent group membership. Makes it sound like nobody invented mounting homes with the nosuid mount option and that admins haven't yet discovered "find -perm" if indeed there is a file system where users are allowed to drop sgid set binaries ... > Also, creating individual groups for all the various > privileged operations we have simply doesn't scale. This is a better argument. > So, PK's usecase is a valid and an important one. You cannot replace > that by Unix groups. You might say that it would be difficult or inconvenient, but it can be replaced if you really want to. Whether it would make sense to try is a different story ... Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
