[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PackageKit policy: background and plans



On Fri, Nov 20, 2009 at 7:19 PM, James Morris <jmorris namei org> wrote:
> On Fri, 20 Nov 2009, Matthew Garrett wrote:
>
>> I know basically nobody who, on a generally single user system,
>> explicitly switches to a console to log in as root and perform package
>> installs there.
>
> This is how I started doing things in 1993, although I changed to sudo a
> few years back.

I also do it. I usually use the graphical tool once or twice a release
and then find myself not able to do something that yum lets me do
automatically so go back to just yum. Then again I have been doing it
this way for about as long as James Morris. I find myself completely
frustrated trying to do stuff on a Mac or Windows box when the gui is
just spinning and I have no idea a) is it installing, b) is it
crashing etc.

>> >  - The local session has a new means to execute in a high privilege
>> >    context, i.e. that which is required to install the system itself.
>> >    This is a problem alone -- everything which runs in this context is
>> >    now a prime attack target.
>>
>> I don't think I'd agree with that. The common case for F10 and F11 will
>> be for people to have installed a package once with the root password
>> and then ticked the "Remember authentication" box. At that point, we
>> have the same security exposure as we do with F12 (again, concentrating
>> on the single-user machine case).
>
> I never tick those boxes.  I'd like to know how to get rid of them
> entirely.

I agree.. the corporate/government places I have dealt with usually
have to hack the code to get rid of it because it violates so many
policies its not funny.

>> I definitely agree that there's a whole range of cases where this isn't
>> the behaviour you want. But for the vast majority of our users, I don't
>> think there's a real security issue here.

I think the vast majority of users would love everything to run like
it was under Windows95 when you could just click on something and it
worked without a password or login or anything. For the envisioned
'desktop' model is there a reason to have multiple users for the
default? Is there a reason to have anything but root?

Actually I am asking this in seriousness versus grumpiness. A general
security policy needs to know why certain things are set beyond
ancient Unix history.

> Are we moving toward a model where the user and the administrator are no
> longer really separated?  Things seem to be regressing according to
> whatever use-case some desktop developer thinks is important at the time.


-- 
Stephen J Smoogen.

Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]