[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Local users get to play root?

Richard Hughes wrote:

> 2009/11/19 Jeff Garzik <jgarzik pobox com>:
>> 1) We should recognize this new policy departs from decades of Unix and
>> Linux sysadmin experience.
> Sure, it's different. It doesn't make it wrong.

But the real issues which have been pointed out do.

>> 2) F12 policy should be reverted to F11, ASAP.  Possibly with a CVE.
> PolicyKit in F12 doesn't have the auth_admin (and save forever to
> disk) functionality that F11 did.

PackageKit can make remembering the authorization work without that feature. 
Or do you see any reason why:
would not work?
(That said, I also blame PolicyKit for this apparently intentional 

> I think what we have in F12 is much more usable, perhaps trading off with
> the perceived loss of control.

I think you just picked the easy way out without realizing the consequences 
and are now spitting out bullsh*t to make us believe that decision made 

> I say perceived as actually typing in a root password doesn't actually
> make the system any more secure at all, less if anything.

How is it less secure to only allow users knowing the root password (i.e. 
presumably the administrator(s) of the machine; if somebody else knows the 
root password, you have a big problem!) to install packages on their system 
on their own than to allow everyone and their dog to do it just because they 
happen to be sitting at the keyboard?

>> 3) Due to #1, F13+ should not deviate from the decades-old default.
> Using that argument, we can just keep using GTK tools written in
> python, that use consolehelper to run 2 million lines of code as the
> root user on the users session. How wonderful.

That's a strawman. It wasn't his argument at all.

> Err, I don't think this is how we want to brand the desktop spin.
> Other spins just need to ship different defaults for all the other
> PolicyKit daemons too.

If anything, the GNOME desktop spin should be the one customizing the 
policy, the default should be secure. But I don't consider this default 
appropriate even for that one spin.

> Also, we've not made this change upstream lightly. We've got upstream
> review and policy documents which you might find useful:
> http://cgit.freedesktop.org/packagekit/plain/docs/security.txt
> http://cgit.freedesktop.org/packagekit/plain/docs/setting-the-proxy.txt

And still you failed to realize the obvious issues with this change?

        Kevin Kofler

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]