Local users get to play root?
Dennis J.
dennisml at conversis.de
Wed Nov 18 18:02:44 UTC 2009
On 11/18/2009 06:49 PM, Seth Vidal wrote:
>
>
> On Wed, 18 Nov 2009, Jon Ciesla wrote:
>
>> nodata wrote:
>>> Am 2009-11-18 18:08, schrieb nodata:
>>>> Yikes! When was it decided that non-root users get to play root?
>>>>
>>>> Ref:
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=534047
>>>>
>>>> This is horrible!
>>>>
>>>
>>> Just to elaborate:
>>>
>>> A local user is allowed to install software on the machine without
>>> being prompted for the root password.
>>>
>>> This is a recipe for disaster in my opinion.
>>>
>> So much for granting shell access on my servers. . .
>
> You have PackageKit installed on servers? really?
Why shouldn't he? AFAIK there is nothing in the package warning users not
to install this on a server.
What is the appropriate way to audit this kind of stuff? Presuming that
PackageKit uses PolicyKit to aquire the necessary privileges is there a way
to query PolicyKit and ask "show me all instances where a process can
acquire root privileges without being asked for a password"?
I don't think it's a good idea to rely on admins knowing the magic
handshake (or in this case the magic package list of dangerous apps) for
security.
Regards,
Dennis
More information about the fedora-devel-list
mailing list