Local users get to play root?

Seth Vidal skvidal at fedoraproject.org
Wed Nov 18 18:27:23 UTC 2009



On Wed, 18 Nov 2009, James Antill wrote:

>
> 1. Does "install" of obsoleting packages come under the same auth. (if
> so I can now arbitrarily upgrade certain packages).
>
> 2. Does "install" of installonly come under the same auth. (if so I can
> now stop kernel upgrades).

+1

> 4. Are there any attacks against packages with "default on" services?
> (Note that you can almost certainly wait until there is an attack, and
> then install the insecure service).

And if we have default on services then I think we should take a good 
LOOOOOOOOOONG look at them.

> 7. And the most obvious one ... how hard is it to get a bad package into
> one of the repos. that the machine has enabled.

+many

-sv




More information about the fedora-devel-list mailing list