Local users get to play root?
Krzysztof Halasa
khc at pm.waw.pl
Thu Nov 19 20:17:34 UTC 2009
Jeff Garzik <jgarzik at pobox.com> writes:
> The only thing that will fix the damage is to update PK, reverting the
> default-insecure policy.
Precisely. I didn't imagine anyone would come with such idea. Even MS
prompts for admin password, doesn't it? And I was told Fedora isn't more
lame when it comes to security than MS.
> May I remind folks that it is easy to UPGRADE INTO INSECURITY here.
> Admins with servers, coming from F10/F11, can very easily fall into
> this trap simply by updating their current systems.
This is not (only) about servers. Desktops have the same problems. E.g.
family computer, or a classroom PC. And even on my "personal" station
I want the unprivileged IDs to not be able to perform administrative
tasks, because access to these "weaker" accounts may be not protected
well enough.
And if we say that installing additional packages can't easily
compromise system security (because e.g. network services are off by
default), then how on Earth can we say at the same time it's ok and "by
design" that installing a single non-network service program opens
a huge door for attacks?
Just admit this was a bug or maybe backdoor and fix "critical security
problem" ASAP.
--
Krzysztof Halasa
More information about the fedora-devel-list
mailing list