Security testing: need for a security policy, and a security-critical package process
Gene Czarcinski
gene at czarc.net
Mon Nov 30 21:39:05 UTC 2009
On Monday 30 November 2009 15:43:26 Bill Nottingham wrote:
> Gene Czarcinski (gene at czarc.net) said:
>
> > Keep it simple (KISS) for the initial attempt. It will grow more
> > complicated all by itself as time passes.
> >
> > BTW, the security policy should assume that a grub password is in use so
> > that a user cannot do something like disabling selinux by editing the
> > kernel command line. This should be tested by the security QA.
>
> That seems very broken. A security policy that is violated on every
> single out of the box install that doesn't do customization?
>
Agreed ... it is broken.
As I see it, the problem is that without a grub password, then an un-
privileged user can edit the command line to disable selinux or bootup in
single user mode.
On the other hand, there is also "good enough" versus perfect. In a perfect
world, a user would (by default) be required to enter that password. In a
"good enough" world, have the option to set the password.
A "split the difference" (better) world (this is a change from existing
implementation): have the grub password default to being root's password.
[I have not tested this in install but I assume that root's password cannot be
null.]
I do not want to see the goal for Fedora to be perfect ... simply "good
enough".
Gene
More information about the Fedora-security-list
mailing list