[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Local users get to play root?

2009/11/18 Simo Sorce <ssorce redhat com>:
> On Wed, 2009-11-18 at 13:19 -0500, Konstantin Ryabitsev wrote:
>> This significantly limits the number of users with powers to install
>> signed software -- almost to the point of where it sounds like a fair
>> trade-off. If someone has physical access to the machine, then heck --
>> it's not like they don't already effectively "own" it.
> Most of my users wouldn't be able to "own" it even if I let a root shell
> open, but they would definitely be able to install or remove packages
> using the GUI.
> The difference is huge.

If I have physical access to your machine, I'll own it. I may have to
use tools to get to the HDD, but it's only a question of time and

Now, there can be situations where someone has access to the TTY
console or GDM (usually when it's a VM guest or a machine behind a
network KVM), but most often, if someone can log in on the console,
they are sitting in front of the physical box, to which they have full

McGill University IT Security
Konstantin Ryabitsev
Montréal, Québec

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]