[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fedora Feature Proposal: Yum Integration



On Thu, Jul 19, 2007 at 07:52:13AM -0400, seth vidal wrote:
> > > But what if you are just a regular user who doesn't have the root
> > > password? That pretty much limits the use of this feature to
> > > administrative programs (which require root anyway). Otherwise users
> > > will end up with half-broken apps
> > This should be done as configurable policy. In fact, that can be done
> > *now*, with one missing crucial bit -- the concept of limited access to
> > packages in yum. Which we could make a really crack-ridden plugin to
> > deal with....
> 'the concept of limited access to packages in yum'?
> What does that mean? I'm not sure I understand the usage here and so I'm
> not sure where/how it would work as a plugin.

For many systems, it'd be handy for users to be able to autheneticate with
their own passwords, and then with those credentials add and remove *user
level* software from known repositories with valid GPG keys, but still
require root (or wheel group membership) to add or (and especially) remove
system level software. That's useful -- but, as mentioned, kinda
crack-ridden. (Partly, of course, because the distinction between user level
and system level is very blurry.)

Right now, it's trivially easy to make it so you can run yum with your own
credentials -- but it's not limited in any way. Doing this the right way
(perhaps with oddjob) would be a bit of work, but doing it the easy but less
secure way -- run as root, check for limitations -- could be done with a
plugin.

As a first cut for policy

 1) users can't do anything that would cause a member of the Core or Base
    groups to be removed
 2) can add and remove packages from a list of groups like GNOME Desktop
    Environment, Games and Entertainment, etc., as long as it doesn't
    conflict with #1
 3) can't do anything else

Perhaps the list of protected-from-removal packages would need to be
expanded, but that's the basic idea.



-- 
Matthew Miller           mattdm mattdm org          <http://mattdm.org/>
Boston University Linux      ------>              <http://linux.bu.edu/>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]