[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Local users get to play root?



On Wed, 2009-11-18 at 15:43 -0900, Jeff Spaleta wrote:
> On Wed, Nov 18, 2009 at 3:35 PM, Eric Christensen
> <eric christensenplace us> wrote:
> > PackageKit is something right there on the desktop that, to its credit,
> > needs little knowledge to use whereas many of your attack vectors noted
> > above are generally fixed in my shop by use of a kickstart and securing
> > the box from physical access and require a higher skill to perform.
> 
> So can't you harden this with a kickstart file line like you do in
> your other hardening steps in your shop? I think to point Bill is
> trying to make is that there are of a number of other settings that
> need to be hardened and that this choice is just one of many choices
> associated with security associated with a console user.  Console user
> security is already a leaky ship and PK is just one more hole.
> 
> -jef
> 

Maybe.  I mean removing (or not installing) PK is a snap with kickstart.
I haven't visited my kickstart in a while so...  :)

I guess the big thing, to me, is that this vulnerability wasn't
presented, documented, or talked about and it is the opposite policy to
what most (all?) SYSADMINS would expect.  If you don't know to fix it
then you are pwned.  Most of the hardening guides that I've read or have
contributed to assumed that the operating system wouldn't allow this
kind of behavior by default and thus doesn't really address it.  I know
the hardening guide for RHEL from the NSA talks about setting up sudo
and how to use it but doesn't talk about securing pup, IIRC.

--Eric

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]