LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora 12 lets unprivileged users install packages

Fedora 12 lets unprivileged users install packages

Posted Nov 19, 2009 19:55 UTC (Thu) by abadidea (guest, #62082)
Parent article: Fedora 12 lets unprivileged users install packages

I'm a CS student in charge of managing the workstations around here, some of which are Linux. And my reaction to this is: "WAT."

Just because something is in an official repository doesn't mean I'm totally okay with it being on my computer and my network. A clever student could manually compile some of those programs I specifically chose not to install, but if they need to be setuid (which a lot of the iffy ones do) then that won't help them much. If someone can be trusted to install software at a whim, then why aren't they already a sudoer?

Now it happens that I don't run Fedora on anything, but I *know* that a lot of admins of Linux workstations out there are not even gonna realize this is enabled till it bites them somehow. It totally goes against the principle of least surprise, as it's not expected behavior at all.

(Log in to post comments)

Fedora 12 lets unprivileged users install packages

Posted Nov 19, 2009 23:38 UTC (Thu) by drag (subscriber, #31333) [Link]

"""I'm a CS student in charge of managing the workstations around here, some of which are Linux. And my reaction to this is: "WAT.""""

Policykit is designed specifically to help administrators add or deny privileges to users based on easy-to-port configurations. Right now you'll need a configuration engine to manage it properly, but in the future they will be configurable via LDAP.

Think about the ability to apply 'group policies' in a way that is similar to what Active Directory users are able to do.

""" Now it happens that I don't run Fedora on anything, but I *know* that a lot of admins of Linux workstations out there are not even gonna realize this is enabled till it bites them somehow. It totally goes against the principle of least surprise, as it's not expected behavior at all."""

Yes. Fedora screwed up by not making this change more apparent. That is a bad move. But this is the point of using fedora... users and developers are given the freedom to play around. This is part of what makes Fedora desirable.. people are able to get access to cutting-edge Linux features and functionality. This is just one of a hundreds unmentioned changes that happenned between F11 and F12.

If you want predictability stick to something that is designed to be predictable.. (Debian Stable, Ubuntu LTS, CentOS, Redhat, etc).

Without a doubt this feature WILL be in other distros after it's been given a bit more time to have the issues ironed out and people have become comfortable with the concepts and policies being introduced.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds