Lin Ma wrote: > Calum Benson wrote: >> On 10 Dec 2009, at 12:40, Lin Ma wrote: >> >> >>> Darren and I thought for short-term solution, we need reduce Gui >>> change as possible as we can. So for the capplet, if fails gracefully >>> if the user don't have the necessary auths (i.e. a message box). >>> >> >> Yes, that sounds okay to me. >> We do have some other applications on the desktop (and possibly >> capplets, I forget off-hand) that use gksu to prompt for a suitable >> admin password if you don't have the correct privileges, so I guess we >> might get some bug reports from users asking why they can't do that >> with the NWAM capplet as well. But I suppose that's really the other >> applications' problem, not ours, as using gksu presumably isn't a very >> RBAC-friendly solution. >> >> > We can do that, but it doesn't a good solution for me. It's not convenient. > I'd like to see that Console User has full authorizations and normal > user has *.read/refresh auths. If Console user is also using a > 'restricted' version gui I may think about it. But it requires add > 'Network Autoconf Admin:solaris:cmd:::/usr/bin/nwam-manager-properties:' > to exec_attr. And I'm not sure whether it works and whether we need ARC > it again. > > Renee, could you think it again to let Console User has Network Autoconf > Admin profile? >
Doesn't this put us back into the same problem we were trying to avoid, namely that the person who is logged into the system has full administrative control of ipsec and ipfilter network policy? -Paul
