[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Local users get to play root?



2009/11/18 Jon Ciesla <limb jcomserv net>:
>> A local user is allowed to install software on the machine without being
>> prompted for the root password.
>>
>> This is a recipe for disaster in my opinion.
>>
> So much for granting shell access on my servers. . .

I may be wrong, but I understand that this behaviour of PackageKit
only applies to users with direct console access (i.e. not remote
shells). So, only users that are logged in via GDM or TTY would be
able to perform such tasks.

This significantly limits the number of users with powers to install
signed software -- almost to the point of where it sounds like a fair
trade-off. If someone has physical access to the machine, then heck --
it's not like they don't already effectively "own" it.

Not saying it's a good default policy -- but let's cool our heads.

Regards,
-- 
McGill University IT Security
Konstantin Ryabitsev
Montréal, Québec


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]