On Thu, Sep 29, 2011 at 12:55:25PM +0200, Tom Gundersen wrote:
This makes no sense. I don't mind if they use their own sticks on their own laptop. I do if they use it one this particular machine.
This is surely a very uncommon scenario. It is easily solved by tweaking the PK policies though (which should be expected if you want to do something non-standard).
?? What's uncommon about that ? I don't care what anyone does with his/her own usb disks on his/her own machine. It's not my business. I *do* care if users connect an usb disk to my machine.
Not necessary. Priveleges to do certain things are given per user or to groups, it's done when a user's account is set up and that's it. Sudo can handle this nicely. The fstab entries for my own usb disks are there mainly because they have dedicated mount points.
The last thing I want as an admin is a 'parallel administration' such as polkit, in particular if it can grant priveleges just by adding some files to a directory. That's very convenient for package managers etc. but it surely does not enhance security.
Having too coarse grained security policies means that users will be given access to more operations than they strictly speaking need.
What makes you think that the configuration I use is 'too coarse grained' ??
So, yes, PK does increase security by limiting what users can do.
That's what any security system does, so rather irrelevant.
And in fact it has the opposite effect: just installing some packages that use PK can suddenly allow things that were not allowed before. The only way to avoid that is to ship all PK enabled packages with 'unix permissions only', and that is certainly not what I see happen.