Conflicting design issue for hide-admin-tools-to-users

Hi Vincent!

Vincent Untz [2005-11-24 11:20 +0100]:
> > I see two options that are worth discussing:
> >
> >  (1) Do the test at a higher level:
> >
> >      sudo --check-desktop-file <desktop file>
> >
> >    does not log failures if the desktop file is owned by root.
> 
> I'm not sure I understand: all desktop files are owned by root right
> now. Or are we talking about other desktop files?

Oh, I thought it would be obvious, sorry. Without that check, a
normal user could easily circumvent the check by creating his own
.desktop file and put the command he wants to check into it. This
would again circumvent the sudo logging check.

> >  (2) Make this configurable and set appropriate defaults at
> >      installation (ubuntu-server or ubuntu-desktop).
> >
> > I prefer solution (1) since it does what we actually want; (2) is a
> > bit handwavy, since you can use a normal Ubuntu CD to install a
> > server, etc.
> 
> I agree that (2) is not a great option. In the past, it has been
> suggested to just look if the user was in the admin group. Is there
> any big drawback to this?

Yes. Check for admin group would only cover the default configuration
of hoary and breezy. Warty did not use the admin group, and sudo can
be configured much more fine grained than a coarse
'everything/nothing' approach. With this, an user who is e. g. granted
to run only network-admin would never see it in the menu.

I consider this a last-resort fallback, but I'd like to see a cleaner
solution.

Thanks,

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20051124/5c783710/attachment-0001.pgp