Re: Local users get to play root?

[Seth Vidal <skvidal fedoraproject org>]

On Wed, 18 Nov 2009, Seth Vidal wrote:

> > 2009/11/18 nodata <lsof nodata co uk>:
> > > Am 2009-11-18 20:20, schrieb Richard Hughes:
> > > > 2009/11/18 Casey Dahlin<cdahlin redhat com>:
> > > > > By the admin's first opportunity to change the settings the box could
> > > > > already be rooted.
> > > >
> > > > I'm not sure how you can root a computer from installing signed
> > > > content by a user that already has physical access to the machine.
> > >
> > > You install software with a known buffer overflow before it is fixed and
> > > exploit it. More software = more chances to exploit. Bingo!
> >
> > If a user logged in from a physical local console wanted to exploit
> > their machine, this would be the hard way to do it.
>
>
> So here is what I've just gotten from talking to Ray Strode and reading docs.
>
> if you want to disable this just run:
>
> pklalockdown --lockdown org.freedesktop.packagekit.package-install
>
> that will keep anyone from installing pkgs w/o authenticating as admin.
>
>
> That's the short version.
>
> the long version I'm working on writing up right now.

longer version w/some more details:


http://skvidal.wordpress.com/2009/11/18/polkit-and-package-kit-and-changing-settings/

-sv