[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Local users get to play root?



On 11/19/2009 03:59 PM, Peter Jones wrote:
On 11/19/2009 03:37 PM, Jeff Garzik wrote:
On 11/19/2009 12:16 PM, Simon Andrews wrote:
Bill Nottingham wrote:
Jeff Garzik (jgarzik pobox com) said:
This sounds like a tacit admission that the default install for
servers is bloody stupid (== same as desktop), unless the admin
REMOVES packages we helpfully installed on the server system.

PackageKit has only ever been included in destkop package groups.
While these groups are enabled by default, they are with the caveat of:

"The default installation of Fedora includes a set of software
applicable for general internet usage."

I've just been and checked on our servers, which were installed with
minimal packages and never used for desktop activities and found two of
them with PackageKit installed.

Looking at the dependencies there is nothing on those machines which
currently requires PackageKit so it could be cleanly removed, but
something has pulled this in as a dependency in the past.

Both of these machines have been through sequential upgrades from around
FC3.

Changing the behaviour of PackageKit would certainly affect me and I've
never explicity installed it.

Indeed.  This issue is giving Fedora a major black eye in security.

And this major security issue -- where admins upgrade into insecurity --
is just hand-waved away even though it applies to a lot of situations.

Seriously, quit spreading this "it's hand-waved away" FUD.  Elsewhere in
the thread, notably without your participation, people have started

I'm in the thread; I guess that's another thing you are hand-waving away.


discussing both guidelines for how polkit policy should work and also
mentioned that they're going to bring this specific case up at the next
FESCo meeting and try to deal with it.

So seriously, quit pontificating about how your opinion is the truth,
the way, and the light, and start reading what others are saying.  It's
not as you seem to think is is.

These are facts, not opinion:

* F11 with PK would prompt for a password
* F12 with PK does not

* Everyone upgrading to F12, with PK on their system, receives this wonderful gift of lessened security.

* The user is not warned of this change, either via upgrade tool or [gold] release notes.

* Judging by the reaction here and elsewhere, this change was NOT expected by the Fedora userbase.


Every second that ticks by, more people upgrade into insecurity, with no warning besides a slashdot thread. This is a secalert issue.

	Jeff




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]