Hi there! On Sun, 20 Nov 2011 23:10:17 +0100, Josselin Mouette wrote: > Le dimanche 20 novembre 2011 à 19:30 +0100, Luca Capello a écrit : >> > polkit authorizations are either one-time or valid for the life time of >> > the session. >> >> Again, this is different than with gksudo (even for desktop/menu files), >> which is why I reported the three bugs considering what you wrote in the >> end at: >> >> <http://lists.debian.org/4EB2E161.2000209%40debian.org> >> >> FWIW, this has been reported as #649386. > > Not being sudo is not a bug. Will you report bugs against sudo for not > having all PolicyKit features?
No, because I was considering PolicyKit as a replacement for gksu(do), at least in desktop/menu files, as Michael corrected me. >> > The interface we decided on was to use group sudo for this purpose. >> >> There is a difference here: with group sudo, you are granting more >> access than the ones you get parsing /etc/sudoers* (read below). >> >> FWIW, this has been reported as #649387. > > Not parsing the sudo configuration file for a program which is not sudo > is not a bug. You are right, but still read below my reply to Michael. >> It is not about what I do or do not want, sudo != administrator, as >> explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see >> also #600700 for the current real situation): >> >> sudo >> >> Members of this group do not need to type their password when using sudo. >> See /usr/share/doc/sudo/OPTIONS. > > Obviously this documentation is incorrect and needs fixing. Could you > file a bug about this? First, have you checked #600700, as I suggested? And if the current sudo behavior below WRT PolicyKit is correct (as it seems, I am the only one complaining), yes, I will be glad to file a bug against base-passwd. On Sun, 20 Nov 2011 21:01:33 +0100, Michael Biebl wrote: > On 20.11.2011 19:30, Luca Capello wrote: >> Perfectly fine for me, but IMHO policykit is abusing sudo, given that >> with /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf pkexec >> grants any privilege to members in the sudo group *without* checking if >> this group is actually allowed in /etc/sudoers* (this *is* a bug): [...] >> It is not about what I do or do not want, sudo != administrator, as >> explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see >> also #600700 for the current real situation): > > This was discussed before the squeeze release. We were looking for a > mechanism how we could grant administrative privileges to users (eg. if > installed with a disabled root account). > We decided to use a group for this purpose. I personally favored to use > group "admin", but due to various reasons (similarity to adm, etc) we > finally agreed to use group sudo for that. We, that included the sudo > maintainer. > > So, I fail to see how you consider this abusing sudo. Because if a user is in group 'sudo', even if there is no more sudo package installed, PolicyKit will still grant all permissions to that user. Which means that I do not consider using a group to grant administrative privileges to user as abusing sudo, but how PolicyKit exploits this situation. Thx, bye, Gismo / Luca
pgp2PfuWzazhB.pgp
Description: PGP signature
