Summary

We will replace the remaining system groups which control device access and which desktop users are put into by default by more dynamic, flexible, and better designed ConsoleKit/PolicyKit privilege rules.

Release Note

TODO when spec is "beta available".

Rationale

NSS Groups should solely be for grouping people. They should not be used extensively to assign privileges to local device permissions, since this leads to proliferation of more and more groups, difficulties with maintaining those groups, and even more difficulties with maintaining them centrally in e. g. NIS or LDAP.

Design

Implementation

Replacements of current default groups

Groups that need to stay for now

Other devices

Console logins

In order for text console logins to succeed and get similar privileges as X11 logins, the libpam-ck-connector package should be installed by default and set up so that VT logins get a ConsoleKit session.

In addition to installing the package, the PAM module must be activated in /etc/pam.d/common-session:

 session optional    pam_ck_connector.so

This does not interfere with gdm's and kdm's built-in support for ConsoleKit. To the contrary, this unbreaks local device access for people who use a nonstandard login manager.

Migration

We will not automatically remove system groups, or any user membership, since we cannot make assumptions about how they are currently being used and customized.

Test/Demo Plan

Verify that your user is not in any of above groups any more. Test that you can playback audio and video files, get 3D acceleration, can mount CD-ROMs and USB-Sticks, and get ~/.gvfs/ FUSE mounts for network server connections done in GNOME (ssh, samba, etc.).

Outstanding Issues


CategorySpec

DesktopTeam/Specs/Intrepid/DevicePermissions (last edited 2008-09-25 15:51:48 by pitti)