[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Local users get to play root?





On Wed, 18 Nov 2009, Konstantin Ryabitsev wrote:

2009/11/18 Jon Ciesla <limb jcomserv net>:
A local user is allowed to install software on the machine without being
prompted for the root password.

This is a recipe for disaster in my opinion.

So much for granting shell access on my servers. . .

I may be wrong, but I understand that this behaviour of PackageKit
only applies to users with direct console access (i.e. not remote
shells). So, only users that are logged in via GDM or TTY would be
able to perform such tasks.

This significantly limits the number of users with powers to install
signed software -- almost to the point of where it sounds like a fair
trade-off. If someone has physical access to the machine, then heck --
it's not like they don't already effectively "own" it.

Not saying it's a good default policy -- but let's cool our heads.

might be worth testing that feature with pkcon from an ssh terminal. I've not done that yet but I think it would be worth checking out.

-sv


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]