[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Local users get to play root?



On Wed, 2009-11-18 at 18:03 -0500, Jeff Garzik wrote:
> On 11/18/2009 05:51 PM, Rahul Sundaram wrote:
> > On 11/19/2009 04:19 AM, Richard Hughes wrote:
> >> 2009/11/18 Seth Vidal<skvidal fedoraproject org>:
> >>> Richard,
> >>>   to be fair, when I asked you how to edit a .pkla file you couldn't tell me.
> >>> So, if our engineers don't know the basics, how should our users?
> >>
> >> Fair comment. Release notes additions might be good in this regard.
> >
> > It should have been announced and documented with the rationale for the
> > change *before* the release. Just pretending that everyone should know
> > about how PolicyKit works when documentation is just lacking doesn't cut
> > it. You didn't even respond to by bugzilla comment and just closed the
> 
> Agreed 100.1%.
> 
> 
> > bug. We will still do a post-release update for the release notes now
> > but that's scrambling to minimize damage.
> 
> The only thing that will fix the damage is to update PK, reverting the 
> default-insecure policy.
> 
> May I remind folks that it is easy to UPGRADE INTO INSECURITY here. 
> Admins with servers, coming from F10/F11, can very easily fall into this 
> trap simply by updating their current systems.
> 
> 	Jeff

Has anyone drafted a notice to go out on the Announce List explaining
this vulnerability?  If admins don't know to fix/remove PK then they are
putting their systems at risk.

--Eric

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]