clock riddle
Chris Adams
cmadams at hiwaay.net
Tue Feb 24 14:18:41 UTC 2009
Once upon a time, Chris Adams <cmadams at hiwaay.net> said:
> What mechanism is there to keep track of these policies? There should
> be a Fedora policy to control RPMs adding new policies to PolicyKit. As
> a system admin, I look for setuid/setgid binaries and open sockets, but
> now there's a new method to bypass that for root-level access.
As a follow-up, I see on F10 that a user can also increase their process
priority level (which is normally a privilege reserved for root). This
is often useful in timing attacks and should not be allowed.
If I'm reading the policy right, users can change PackageKit proxy
settings and force a refresh of metadata. How much has PackageKit's
(and yum's) code been audited for security? If I can point it at a
proxy and force it to download data, how secure is it against attack
(e.g. via corrupted data)?
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the fedora-test-list
mailing list