[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Security policy oversight needed?

On Wed, 18 Nov 2009, Simo Sorce wrote:

> On Wed, 2009-11-18 at 17:58 -0600, Chris Adams wrote:
> > Any package (whether new or an update) that adds/changes PolicyKit,
> > consolehelper, or PAM configuration, and anything that installs new
> > setuid/setgid executables, should require some additional third-party
> > review.  Any significant changes that passes review should require some
> > minimum amount of advance notice and documentation on how to revert
> > (preferably in some common easy-to-find place in the wiki).
> >
> > Is this feasible?
> Looks like a very good idea to me.

I think that's too subjective though.  I'd be more in favor of a simple,
broad view of what the user should be able to do without root.  It's
possible "install packages" would be on that list, it's possible not.
That way packages could ask themselves "does this break the policy?"  If
it doesn't, great.  If it does, time for a bug report.

Better then a review process because then everyone would generally know
what to expect.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]