Are system policies too restrictive?
(=?iso-8859-1?q?=60=60-=5F-=B4=B4?=) -- BUGabundo
ubuntu at bugabundo.net
Sat Jan 3 22:02:39 UTC 2009
Olá Chris e a todos.
On Friday 02 January 2009 22:01:40 Chris Coulson wrote:
> Hi,
>
> I came across a bug report recently where users were having problems
> authenticating with PolicyKit from tools such as users-admin, because
> the 'Unlock' button was greyed out. After some debugging, it seemed that
> all affected users were logged in via a VNC session. Because the VNC
> session was not on the active console, users could not authenticate with
> Policykit, because of the default Ubuntu policy. I closed the bug
> report, as Policykit was doing it's job, and I pointed out to the
> affected users that they can change the system policy if they want.
>
> I've since seen another bug report which looks like the same issue (I'm
> just waiting for the reporter to provide some information I requested).
>
> It seems that this is confusing users that are logging in from a remote
> console. In the pre-Hardy days when Policykit didn't exist, users could
> launch any admin tool and authenticate with gksu whether they were on a
> local or remote console. This has changed now, and results in a loss of
> functionality for those users who log in on a remote console. We now
> have to be on the active local console to do pretty much anything, from
> adding/removing users to adjusting the clock.
>
> I can understand why certain actions are restricted to users logged in
> to the active local console (such as shutting down/rebooting/suspending
> the machine, mounting/unmounting removable media, accessing certain
> hardware devices such as sound cards/web-cams), but I'm not sure why the
> default policy should prevent administrators from changing system
> settings (such as adding users, changing the system time etc.) when they
> are logged in from a remote console.
>
> The extra policies that appeared in Intrepid for the new Jockey seem to
> be a lot more sane than existing policies. For example, they allow
> administrators to install or remove device drivers regardless of whether
> they're on the local console or not. I think this is how some of the
> other policies should be.
+1 one the all idea that we need to discuss & improve this.
--
BUGabundo :o)
(``-_-´´) http://LinuxNoDEI.BUGabundo.net
Linux user #443786 GPG key 1024D/A1784EBB
My new micro-blog @ http://BUGabundo.net
ps. My emails tend to sound authority and aggressive. I'm sorry in advance. I'll try to be more assertive as time goes by...
Merry xtmas and Happy New Year
http://www.ubuntu-pt.org/static/pictures/ecard.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20090103/39f6d051/attachment.sig>
More information about the Ubuntu-devel-discuss
mailing list