Are system policies too restrictive?

(=?iso-8859-1?q?=60=60-=5F-=B4=B4?=) -- BUGabundo ubuntu at
Sat Jan 3 22:02:39 UTC 2009

Olá Chris e a todos.

On Friday 02 January 2009 22:01:40 Chris Coulson wrote:
> Hi,
> I came across a bug report recently where users were having problems
> authenticating with PolicyKit from tools such as users-admin, because
> the 'Unlock' button was greyed out. After some debugging, it seemed that
> all affected users were logged in via a VNC session. Because the VNC
> session was not on the active console, users could not authenticate with
> Policykit, because of the default Ubuntu policy. I closed the bug
> report, as Policykit was doing it's job, and I pointed out to the
> affected users that they can change the system policy if they want.
> I've since seen another bug report which looks like the same issue (I'm
> just waiting for the reporter to provide some information I requested).
> It seems that this is confusing users that are logging in from a remote
> console. In the pre-Hardy days when Policykit didn't exist, users could
> launch any admin tool and authenticate with gksu whether they were on a
> local or remote console. This has changed now, and results in a loss of
> functionality for those users who log in on a remote console. We now
> have to be on the active local console to do pretty much anything, from
> adding/removing users to adjusting the clock.
> I can understand why certain actions are restricted to users logged in
> to the active local console (such as shutting down/rebooting/suspending
> the machine, mounting/unmounting removable media, accessing certain
> hardware devices such as sound cards/web-cams), but I'm not sure why the
> default policy should prevent administrators from changing system
> settings (such as adding users, changing the system time etc.) when they
> are logged in from a remote console.
> The extra policies that appeared in Intrepid for the new Jockey seem to
> be a lot more sane than existing policies. For example, they allow
> administrators to install or remove device drivers regardless of whether
> they're on the local console or not. I think this is how some of the
> other policies should be.

+1 one the all idea that we need to discuss & improve this.

BUGabundo  :o)
Linux user #443786    GPG key 1024D/A1784EBB
My new micro-blog @
ps. My emails tend to sound authority and aggressive. I'm sorry in advance. I'll try to be more assertive as time goes by...

Merry xtmas and Happy New Year
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Ubuntu-devel-discuss mailing list