Proposing to host system-auth-agent in fdo

Carlos Garnacho carlosg at gnome.org
Wed Oct 13 22:49:33 EEST 2004


On Wed, 2004-10-13 at 20:23 +0200, Martin Waitz wrote:
> hi :)
> 
> you shouldn't base authorization on the program that is asking but
> on the operation that it tries to execute.

it does both, it's not hard to imagine a little program that acts like
su, but which uses this program underneath and stores that user foo can
run "su", that's because I want a list of authorized applications, I do
not want to create a rootkits API :)

> 
> Remember: it's the currently logged in user that is allowed to
> configure the network card, not some magic binary.
> So the better solution is to move the desired functunality into
> a root daemon and just send requests to it via dbus/whatever.
> The daemon can then check the request for validity and perform
> the action.
> 
> That way it is not possible to execute arbitrary programs as root.

That doesn't provide the flexibility I'd want, this proposal is about a
generic way to get permissions elevation with some kind of user
friendlyness.

	Carlos

> 
> Just have a look at NetworkManager.
> 



More information about the xdg mailing list