Local users get to play root?

Konstantin Ryabitsev icon at fedoraproject.org
Wed Nov 18 18:27:34 UTC 2009


2009/11/18 Seth Vidal <skvidal at fedoraproject.org>:
>> I may be wrong, but I understand that this behaviour of PackageKit
>> only applies to users with direct console access (i.e. not remote
>> shells). So, only users that are logged in via GDM or TTY would be
>> able to perform such tasks.
>>
>> This significantly limits the number of users with powers to install
>> signed software -- almost to the point of where it sounds like a fair
>> trade-off. If someone has physical access to the machine, then heck --
>> it's not like they don't already effectively "own" it.
>>
>> Not saying it's a good default policy -- but let's cool our heads.
>
> might be worth testing that feature with pkcon from an ssh terminal. I've
> not done that yet but I think it would be worth checking out.

Looks to be the case:

bubba at localhost's password:
[bubba at smaug ~]$ uqm
Command not found. Install package 'uqm' to provide command 'uqm'? [N/y]
 * Installing packages..
 * Getting information..
 * Resolving dependencies..
The following packages have to be installed:
 autodownloader-0.3.0-3.fc12.noarch	GUI-tool to automate the download
of certain files
Proceed with changes? [N/y]
 * Waiting for authentication.. The transaction failed:
not-authorized, Failed to obtain authentication.
[bubba at smaug ~]$

Let's calm down now, please. :)

-- 
McGill University IT Security
Konstantin Ryabitsev
Montréal, Québec




More information about the fedora-devel-list mailing list