[Pkg-utopia-maintainers] Bug#649385: Bug#649385: policykit-1: pkexec can not open display for GUI programs

[Justin B Rye]

Michael Biebl wrote:
> On 20.11.2011 19:30, Luca Capello wrote:
>> Perfectly fine for me, but IMHO policykit is abusing sudo, given that
>> with /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf pkexec
>> grants any privilege to members in the sudo group *without* checking if
>> this group is actually allowed in /etc/sudoers* (this *is* a bug):
> 
> This was discussed before the squeeze release. We were looking for a
> mechanism how we could grant administrative privileges to users (eg. if
> installed with a disabled root account).
> We decided to use a group for this purpose. I personally favored to use
> group "admin", but due to various reasons (similarity to adm, etc) we
> finally agreed to use group sudo for that. We, that included the sudo
> maintainer.
> 
> So, I fail to see how you consider this abusing sudo.

I'm sure the decision was made for good reasons; but the upshot is
that policykit made the pre-existing sudo group unconditionally
root-equivalent in Stable with no warning to the sysadmins who may 
have been using it for some other function (such as, say, to grant
only-slightly-trusted users the right to run housekeeping scripts out
of /usr/local/sbin).

I would have thought this change might have merited a mention in the
release-notes, or in a NEWS.Debian file for policykit-1 v0.96-4, or in
a comment in /etc/sudoers...  It's a bit late now, but if you're
thinking of allowing any further creep in these privileges, please
remember to document it somewhere.
-- 
JBR     For trifling occasions it is better to accomplish things
        simply by yelling - "Hagakure", Yamamoto Tsunetomo (1716)