[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Local users get to play root?

On Wed, 2009-11-18 at 19:23 -0500, Bill Nottingham wrote:
> Jeff Garzik (jgarzik pobox com) said: 
> > Sorry, but this default (desktop users can install pkgs without
> > root) is just stupid.  It is antithetical to all standard security
> > models that have come before in Fedora and other Linux
> > distributions.
> Out of the box, a desktop user has the ability to shut down the machine.
> This gives them the ability, out of the box, to:
> - DoS everyone on it
> - get a root shell
> -- install whatever they want
> -- put viruses on
> - hell, slap in a livecd or USB key and reinstall the box
> It's a behavior change, for sure. For people who want to lock down their
> systems, it's a default they will need to be able to change, and they
> should have been able to discover it through the normal mechanisms for
> that. (i.e., the release notes.). It likely should have been discussed
> when it was introduced - it's obviously not something that's applicable
> to all usage cases for the OS.
> But really, given that users out of the box can do *far far worse*, I'm
> not seeing the 'shameful', 'antithetical', OMG THE SKY IS FALLING AND
> YOU ALL SHOULD BE DRAWN AND QUARTERED sort of angst. Maybe people are
> tired of bagging tea and want new things to be outraged about.
> Bill

You are assuming that the users have physical access to the box and also
know how to get a root shell and that the box hasn't been hardened
(before the PK vulnerability was known).

PackageKit is something right there on the desktop that, to its credit,
needs little knowledge to use whereas many of your attack vectors noted
above are generally fixed in my shop by use of a kickstart and securing
the box from physical access and require a higher skill to perform.

I'm not saying this new "functionality" in PK is necessarily bad but it
should have been easily ENABLED (not by default) by an admin with root

Of course, in my thought process, now, PK should probably not be
installed on systems where users shouldn't have unrestricted access to
the repo.


Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]