22 Jun
2009
22 Jun
'09
10:47 a.m.
On Mon, 22.06.09 09:33, Arnold Krille (arnold(a)arnoldarts.de) wrote:
Except that this doesn't work.
http://hal.freedesktop.org/docs/PolicyKit/intro-define-problem.html
Lennart
--
Lennart Poettering Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/ GnuPG 0x1A015CC4
On Monday 22 June 2009 02:09:36 Lennart Poettering
wrote:
Please read up on PoliyKit. What it does, and why it has been
introduced.
You practically cannot take group membership away from a user after
you gave it to him, and also adding a seperate group for every tiny
bit you need to authorize access to doesn't scale.
Doing authorization via groups is broken,
What??? Did you ever do administration for more then one computer???
Authorization by groups is _the only_ way to go if you have more then one user
to authorize for anything.
If you don't agree ask firms with intranets and net-wide authorization, look at
yp/nis/ldap/Active Directory. since
practically you can
never take group membership away.
Yes, you can. Just remove the person from a group and the next time the groups
are checked for that user, the rights are gone.