Security Changes For Fedora 9

Bj=?ISO-8859-1?B?+A==?=rn Tore Sund bjorn.sund at it.uib.no
Sat Dec 22 17:42:38 UTC 2007 



On 22/12/07 18:00, "fedora-security-list-request at redhat.com"
<fedora-security-list-request at redhat.com> wrote:
> Message: 1
> Date: Fri, 21 Dec 2007 10:13:21 -0700
> From: Kevin Fenzi <kevin at tummy.com>
> Subject: Re: Security Changes For Fedora 9
> To: fedora-security-list at redhat.com
> Message-ID: <20071221101321.1fd1d3aa at ghistelwchlohm.scrye.com>
> Content-Type: text/plain; charset="us-ascii"
> 
> On Thu, 20 Dec 2007 19:29:29 -0800 (PST)
> riley.marquis at tcsresearch.org wrote:
> 
>> Security Updates For Fedora 9
>> 
>> Greetings!
> 
> Greetings. 

Greetings, indeed.

>> 1: Disable root account / Use Sudo
> 
> There are tradeoffs here. I personally would like to see it continue to
> be enabled until we can figure out more of the issues around disabling
> it. 

As long as enabling root is as simple as setting a root password or some
other simple and automatable procedure I don't care.  But for large scale
remote administration you need direct root access via key-based ssh.

>> 4: GCC Lockdowns
>> With the new GCC-4.3.0 recently built for Fedora 9, we should forbid
>> ordinary users access to the programs it contains, incl. rpmbuild,
>> mock, etc.  Only members of the wheel, koji, and mock groups should
>> have access to software development tools.  Did I miss any groups
>> that should be allowed access?
> 
> I would also say this is a bad idea. We want people to use the tools on
> the machine, don't we?

We do indeed.  In general, limiting access to tools which don't affect the
system you're working on causes issues.  There are always users arguing for
root access or against centralised admin setups, often the very users who
shouldn't have any sort of access to anything.  Limiting access to stuff
simply because it can be done is one of the things that triggers them, and
the more tools this happens to the more likely it is that someone will
forget to open up what should have been open in the first place.

Bjørn
-- 
Bjørn Tore Sund       Phone: 555-84894   Email:   bjorn.sund at it.uib.no
IT department         VIP:   81724       Support: http://bs.uib.no
Univ. of Bergen

When in fear and when in doubt, run in circles, scream and shout.

More information about the Fedora-security-list mailing list