Local users get to play root?
Jeff Garzik
jgarzik at pobox.com
Wed Nov 18 21:51:26 UTC 2009
On 11/18/2009 01:41 PM, Konstantin Ryabitsev wrote:
> 2009/11/18 Simo Sorce<ssorce at redhat.com>:
>> On Wed, 2009-11-18 at 13:19 -0500, Konstantin Ryabitsev wrote:
>>> This significantly limits the number of users with powers to install
>>> signed software -- almost to the point of where it sounds like a fair
>>> trade-off. If someone has physical access to the machine, then heck --
>>> it's not like they don't already effectively "own" it.
>>
>> Most of my users wouldn't be able to "own" it even if I let a root shell
>> open, but they would definitely be able to install or remove packages
>> using the GUI.
>>
>> The difference is huge.
>
> If I have physical access to your machine, I'll own it. I may have to
> use tools to get to the HDD, but it's only a question of time and
> dedication.
>
> Now, there can be situations where someone has access to the TTY
> console or GDM (usually when it's a VM guest or a machine behind a
> network KVM), but most often, if someone can log in on the console,
> they are sitting in front of the physical box, to which they have full
> access.
Console access is no excuse for a completely lax security policy.
Didn't Microsoft Windows teach us all that?
In the real world(tm), hacking via console access still means there are
a lot of hurdles you must dodge, like making noise while opening the case.
This new policy completely screws multi-user setups where (for example)
kids are given a login to play games -- but I sure don't want them to be
installing packages. Now, pkgs installs for them are trivial.
The physical argument by policy proponents is the real straw man:
F12+PK lowers the security barrier from "difficult" to "a simple mouse
click."
Jeff
More information about the fedora-devel-list
mailing list