Local users get to play root?
Rahul Sundaram
sundaram at fedoraproject.org
Thu Nov 19 02:22:35 UTC 2009
On 11/19/2009 07:50 AM, Mike McGrath wrote:
> On Wed, 18 Nov 2009, Jeff Garzik wrote:
>> 1) We should recognize this new policy departs from decades of Unix and Linux
>> sysadmin experience.
>>
>> 2) F12 policy should be reverted to F11, ASAP. Possibly with a CVE.
>>
>> 3) Due to #1, F13+ should not deviate from the decades-old default.
>>
>> 4) Release notes should explain new [and after step #2, optional] policy in
>> detail, including how to turn it off again. Seth's laudable write-up efforts
>> should not have been necessary -- that info should be prepared.
>>
>> 5) The people who want this new security policy should add an opt-in checkbox
>> in Anaconda or firstboot.
>
>
> Does anyone disagree with anything in 1-5? It all sounds reasonable to
> me?
Release notes are being updated as we speak. I think, the "role" of a
system, be it a personal desktop, workstation, server or something else
can change post-installation as well. I don't think a simple checkbox in
Anaconda is going to be useful enough. We need a tool to switch policies
easily so that we can tweak the policies across a wide range of tools
with things like PolicyKit and each of these policies can be written
with particular audiences in mind.
Rahul
More information about the fedora-devel-list
mailing list