Re: Security policy oversight needed?

[Chris Adams <cmadams hiwaay net>]

Once upon a time, Richard Hughes <hughsient gmail com> said:
> If you're not shipping custom PolicyKit rules then at the moment
> normal users can, without authentication:
> 
> * Grant high priority scheduling to a user process

I have complained about this.

> * Connection sharing via a protected WiFi network

Only if the NetworkManager daemon is running, right?

> * Suspend the system

Again, on/off don't change system policy.

> * Inhibit media detection
> * Mount a device

The user mounts are locked down (noexec), right?

> * Restart the system

Again, on/off don't change system policy.

> * Get information about system services

Information that has always been available, right?

> * Install debuginfos using abrt

Didn't know about this one; another thing that should be changed by
default.

> * Enroll new fingerprints

That's along the lines of "change their password", which is reasonable
(unless this is giving elevated access to those fingerprints).

-- 
Chris Adams <cmadams hiwaay net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.