Re: [Usability] doing root stuff as normal user without shell or any obscure methods - increasing usability with just a text box

From: Sean Middleditch <elanthis awesomeplay com>
To: usability gnome org
Subject: Re: [Usability] doing root stuff as normal user without shell or any obscure methods - increasing usability with just a text box
Date: Fri, 24 Sep 2004 09:23:42 -0400

On Fri, 2004-09-24 at 08:46 -0300, Leonardo Santagada wrote:
> Sudo is the best idea, what abou SELinux does it suppord sudo or does
> it use ACL's to give permission? Also someone mentioned
> gnome-system-tools, I would like to know if it has support for making
> modules in python instead of perl, because I would like to understand
> an mabe create some modules for it, but I don't really like perl

SELinux does not ever grant privileges.  It just revokes them.  You
can't use SELinux to let a user do something they otherwise couldn't do.

What you _can_ do with SELinux is combine it with something like
console-helper (which Red Hat has done), such that the administrator can
use more intricate rules than she could otherwise - i.e., make it so
only users in the staff_r role can run the tool.  Then the console
helper can query the user for their password to upgrade the process
group/session group/whatever to the staff_r role (if the user has access
to that role).

Again, it isn't granting any extra capabilities to the user.  What it's
doing is taking a process that runs with root capabilities and strips it
down to just the bare minimum it needs, and the maximum of the
capabilities of a user in the staff_r role.

Sudo, I would argue, is not the best idea, because it limits it to the
capabilities of sudo.  Which is, basically, "run as root if the user
entries a particular admin-defined password, such as the root pass or
the user's pass."  If the authentication system is abstracted (*cough*
console-helper *cough*), then any sort of new policy can be invented and
plugged in with no modification necessary to existing applications.

> 
> 
> On Wed, 22 Sep 2004 21:30:11 -0700 (PDT), Linux Power
> <powerpc5 yahoo com> wrote:
> > I fully agree with Brian Skahan. Though I have never
> > used MacOS but it appears to be more elegant approach.
> > 
> > Can it be possible to have a check box labeled
> > "remmember password for this session" or something on
> > similar lines...
> > 
> > 
> > 
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> > _______________________________________________
> > Usability mailing list
> > Usability gnome org
> > http://mail.gnome.org/mailman/listinfo/usability
> > 
> 
> 
> 
-- 
Sean Middleditch <elanthis awesomeplay com>
AwesomePlay Productions, Inc.

References:
- Re: [Usability] doing root stuff as normal user without shell or any obscure methods - increasing usability with just a text box
  - From: Reinout van Schouwen
- Re: [Usability] doing root stuff as normal user without shell or any obscure methods - increasing usability with just a text box
  - From: Linux Power
- Re: [Usability] doing root stuff as normal user without shell or any obscure methods - increasing usability with just a text box
  - From: Leonardo Santagada

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]