[LAD] [ANNOUNCE] Safe real-time on the desktop by default; Desktop/audio RT developers, read this!

[Lennart Poettering]

On Mon, 22.06.09 09:33, Arnold Krille (arnold at arnoldarts.de) wrote:

> On Monday 22 June 2009 02:09:36 Lennart Poettering wrote:
> > Doing authorization via groups is broken,
> 
> What??? Did you ever do administration for more then one computer??? 
> Authorization by groups is _the only_ way to go if you have more then one user 
> to authorize for anything.
> If you don't agree ask firms with intranets and net-wide authorization, look at 
> yp/nis/ldap/Active Directory.

Please read up on PoliyKit. What it does, and why it has been
introduced. 

You practically cannot take group membership away from a user after
you gave it to him, and also adding a seperate group for every tiny
bit you need to authorize access to doesn't scale.

> > since practically you can
> > never take group membership away.
> 
> Yes, you can. Just remove the person from a group and the next time the groups 
> are checked for that user, the rights are gone.

Except that this doesn't work.

http://hal.freedesktop.org/docs/PolicyKit/intro-define-problem.html

Lennart

-- 
Lennart Poettering                        Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/           GnuPG 0x1A015CC4