[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Security policy oversight needed?



On Wed, Nov 18, 2009 at 6:37 PM, Mike McGrath <mmcgrath redhat com> wrote:
> On Wed, 18 Nov 2009, Simo Sorce wrote:
>
>> On Wed, 2009-11-18 at 17:58 -0600, Chris Adams wrote:
>> > Any package (whether new or an update) that adds/changes PolicyKit,
>> > consolehelper, or PAM configuration, and anything that installs new
>> > setuid/setgid executables, should require some additional third-party
>> > review.  Any significant changes that passes review should require some
>> > minimum amount of advance notice and documentation on how to revert
>> > (preferably in some common easy-to-find place in the wiki).
>> >
>> > Is this feasible?
>>
>> Looks like a very good idea to me.
>>
>
> I think that's too subjective though.  I'd be more in favor of a simple,
> broad view of what the user should be able to do without root.  It's
> possible "install packages" would be on that list, it's possible not.
> That way packages could ask themselves "does this break the policy?"  If
> it doesn't, great.  If it does, time for a bug report.
>
> Better then a review process because then everyone would generally know
> what to expect.
>
>        -Mike
>
I agree. I think that's easier rather than trying to understand the
specifics of each package.

stahnma


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]