FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux General Discussion

 
 
LinkBack Thread Tools
 
Old 11-19-2010, 01:58 PM
Máirín Duffy
 
Default User Experience improvements for Anaconda

Hi Chris,

On Fri, 2010-11-19 at 14:33 +0000, clumens@redhat.com wrote:
> > Root Password
> > =============
> > - It will warn you after you hit Next if your password fails for various
> > reasons (length, strength, type of characters, etc.). We could do that as
> > you type as well. That already exists in firstboot so doing it in anaconda
> > is consistent.
> > - This screen is also a whole lot of grey and is just asking to be merged or
> > killed.
>
> Okay, fine, I'll go ahead and suggest it.
>
> Why don't we remove this screen entirely? Lock the root account by
> default, force creation of a new user, and set that user up with sudo
> access. We can preserve the root password command in kickstart.

That sounds great to me and I feel it's the right direction. My only
worry is that currently the PolicyKit GUI prompts for the root password
and it doesn't seem to recognize if an account has sudo access. A couple
of scenarios:

Scenario 1:
===========
I install Fedora - I'm the first user and have sudo access. Some time
passes, and I get an alert that there's security updates. PackageKit
offers to update for me. I click to tell it to go ahead, and it asks me
for the root password.

This scenario isn't the end-of-the-world - I can go into a terminal,
sudo su -, and set a password for root, but that's annoying, and not
really obvious to a substantial number of users who are computer
literate and maybe even savvy but relatively new to Linux and/or the
command line.

Scenario 2:
===========
I've got Fedora set up and my uncle has an account on the machine. I'm
in the living room watching the latest dancing with the stars, when my
uncle calls me over. He's trying to install this awesome app he heard
about - Inkscape - but the install window is asking him for the root
password.

Again, not the end-of-the-world, but annoying.

My major problem with these two scenarios is that it's really hard for
someone to use the computer in a useful manner without installing
updates and/or installing new software, so it's pretty much guaranteed
users are going to be prompted for the root password on the desktop at
some point. That they need to know a magical incantation only possible
via console or command line I think is a bit much.

Ideas to solve this:
====================

- Can we talk to the policykit maintainer(s) to see if they would be
willing to have policykit recognize sudo access and accept the password
of users with sudo access for these dialogs? This is the ideal solution
I think, because you can keep the root password unset, which I think
might make the system maybe less vulnerable to attack.

- If not, can we create some kind of GUI to set the root password so at
least the PITA process to get one isn't command-line only?

~m

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
 
Old 11-19-2010, 03:29 PM
Bruno Wolff III
 
Default User Experience improvements for Anaconda

On Fri, Nov 19, 2010 at 09:58:34 -0500,
Máirín Duffy <duffy@fedoraproject.org> wrote:
>
> That sounds great to me and I feel it's the right direction. My only
> worry is that currently the PolicyKit GUI prompts for the root password
> and it doesn't seem to recognize if an account has sudo access. A couple
> of scenarios:

I seem to remember from the PolicyKit discussion a while back, that there
was a goal to eventually have admin accounts be able to do updates without
needing to enter the root password. I think the discussion at the time
was that everyone was allowed to do this. I think it would make sense for
an account created during firstboot to be able to do this.

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
 
Old 11-19-2010, 08:01 PM
Steve Allen
 
Default User Experience improvements for Anaconda

clumens@redhat.com wrote:
> > Root Password
> > =============
> > - It will warn you after you hit Next if your password fails for various
> > reasons (length, strength, type of characters, etc.). We could do that as
> > you type as well. That already exists in firstboot so doing it in anaconda
> > is consistent.
> > - This screen is also a whole lot of grey and is just asking to be merged or
> > killed.
>
> Okay, fine, I'll go ahead and suggest it.
>
> Why don't we remove this screen entirely? Lock the root account by
> default, force creation of a new user, and set that user up with sudo
> access. We can preserve the root password command in kickstart.

I wouldn't enjoy that. I set all my machines up with NIS. Not one has
a local user account.

Steve

--
Steven R. Allen - Linux Admin Weenie
Unix sysadmin: Linux, IRIX, NetBSD, OS X, Solaris, HP/UX, CX/UX
Phone: 206-544-0910 M/S: 4J-06

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
 
Old 11-20-2010, 06:53 PM
Máirín Duffy
 
Default User Experience improvements for Anaconda

On Fri, 2010-11-19 at 21:01 +0000, Steve Allen wrote:
> clumens@redhat.com wrote:
> > > Root Password
> > > =============
> > > - It will warn you after you hit Next if your password fails for various
> > > reasons (length, strength, type of characters, etc.). We could do that as
> > > you type as well. That already exists in firstboot so doing it in anaconda
> > > is consistent.
> > > - This screen is also a whole lot of grey and is just asking to be merged or
> > > killed.
> >
> > Okay, fine, I'll go ahead and suggest it.
> >
> > Why don't we remove this screen entirely? Lock the root account by
> > default, force creation of a new user, and set that user up with sudo
> > access. We can preserve the root password command in kickstart.
>
> I wouldn't enjoy that. I set all my machines up with NIS. Not one has
> a local user account.

NIS is configured on a different screen than the one that is being
discussed for removal.

By 'not one has a local user account' are you including local root
accounts?

~m

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
 
Old 11-22-2010, 02:01 AM
Bill Nottingham
 
Default User Experience improvements for Anaconda

Máirín Duffy (duffy@fedoraproject.org) said:
> > Why don't we remove this screen entirely? Lock the root account by
> > default, force creation of a new user, and set that user up with sudo
> > access. We can preserve the root password command in kickstart.
>
> That sounds great to me and I feel it's the right direction. My only
> worry is that currently the PolicyKit GUI prompts for the root password
> and it doesn't seem to recognize if an account has sudo access. A couple
> of scenarios:

For PolicyKit, you'd set the first user to be in the desktop_admin_r
group; that's a similar role to sudo.

Bill

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
 
Old 11-22-2010, 01:30 PM
Steve Allen
 
Default User Experience improvements for Anaconda

Máirín Duffy <duffy@fedoraproject.org> wrote:
> On Fri, 2010-11-19 at 21:01 +0000, Steve Allen wrote:
> > clumens@redhat.com wrote:
> > > > Root Password
> > > > =============
> > > > - It will warn you after you hit Next if your password fails for various
> > > > reasons (length, strength, type of characters, etc.). We could do that as
> > > > you type as well. That already exists in firstboot so doing it in anaconda
> > > > is consistent.
> > > > - This screen is also a whole lot of grey and is just asking to be merged or
> > > > killed.
> > >
> > > Okay, fine, I'll go ahead and suggest it.
> > >
> > > Why don't we remove this screen entirely? Lock the root account by
> > > default, force creation of a new user, and set that user up with sudo
> > > access. We can preserve the root password command in kickstart.
> >
> > I wouldn't enjoy that. I set all my machines up with NIS. Not one has
> > a local user account.
>
> NIS is configured on a different screen than the one that is being
> discussed for removal.

Yes, I realize that.

> By 'not one has a local user account' are you including local root
> accounts?

No -- root is the only local account (other than the various machine
accounts, but they don't count). It's not a user account. There
is no local user to give sudo access to.

Steve

--
Steven R. Allen - Linux Admin Weenie
Unix sysadmin: Linux, IRIX, NetBSD, OS X, Solaris, HP/UX, CX/UX
Phone: 206-544-0910 M/S: 4J-06

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
 
Old 11-22-2010, 02:37 PM
Máirín Duffy
 
Default User Experience improvements for Anaconda

On Mon, 2010-11-22 at 14:30 +0000, Steve Allen wrote:
> > NIS is configured on a different screen than the one that is being
> > discussed for removal.
>
> Yes, I realize that.
>
> > By 'not one has a local user account' are you including local root
> > accounts?
>
> No -- root is the only local account (other than the various machine
> accounts, but they don't count). It's not a user account. There
> is no local user to give sudo access to.

So what if on the screen where a the local, sudo-ed account is set up,
there's an option to skip it and opt for NIS?

Do you want to explicitly set a root password on top of that or does
that not matter?

~m

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
 
Old 11-22-2010, 04:45 PM
Steve Allen
 
Default User Experience improvements for Anaconda

Máirín Duffy <duffy@fedoraproject.org> wrote:
> On Mon, 2010-11-22 at 14:30 +0000, Steve Allen wrote:
> > > NIS is configured on a different screen than the one that is being
> > > discussed for removal.
> >
> > Yes, I realize that.
> >
> > > By 'not one has a local user account' are you including local root
> > > accounts?
> >
> > No -- root is the only local account (other than the various machine
> > accounts, but they don't count). It's not a user account. There
> > is no local user to give sudo access to.
>
> So what if on the screen where a the local, sudo-ed account is set up,
> there's an option to skip it and opt for NIS?
>
> Do you want to explicitly set a root password on top of that or does
> that not matter?

I already skip the creation of a local account, and set up NIS. And yes,
I do want to set a root password.

Steve

--
Steven R. Allen - Linux Admin Weenie
Unix sysadmin: Linux, IRIX, NetBSD, OS X, Solaris, HP/UX, CX/UX
Phone: 206-544-0910 M/S: 4J-06

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
 
Old 11-22-2010, 05:50 PM
Máirín Duffy
 
Default User Experience improvements for Anaconda

On Mon, 2010-11-22 at 17:45 +0000, Steve Allen wrote:
> I already skip the creation of a local account, and set up NIS. And yes,
> I do want to set a root password.

I know you already skip it today, but you wouldn't be able to do that in
Chris' original proposal I think. I can make sure in the redesign that
we handle your case. Thanks!

~m

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
 
Old 11-22-2010, 07:34 PM
Steve Allen
 
Default User Experience improvements for Anaconda

Máirín Duffy <duffy@fedoraproject.org> wrote:
> On Mon, 2010-11-22 at 17:45 +0000, Steve Allen wrote:
> > I already skip the creation of a local account, and set up NIS. And yes,
> > I do want to set a root password.
>
> I know you already skip it today, but you wouldn't be able to do that in
> Chris' original proposal I think. I can make sure in the redesign that
> we handle your case. Thanks!

And thank you for the consideration.

Steve

--
Steven R. Allen - Linux Admin Weenie
Unix sysadmin: Linux, IRIX, NetBSD, OS X, Solaris, HP/UX, CX/UX
Phone: 206-544-0910 M/S: 4J-06

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
 

Thread Tools




All times are GMT. The time now is 03:24 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org