Local users get to play root?
Seth Vidal
skvidal at fedoraproject.org
Wed Nov 18 18:27:23 UTC 2009
On Wed, 18 Nov 2009, James Antill wrote:
>
> 1. Does "install" of obsoleting packages come under the same auth. (if
> so I can now arbitrarily upgrade certain packages).
>
> 2. Does "install" of installonly come under the same auth. (if so I can
> now stop kernel upgrades).
+1
> 4. Are there any attacks against packages with "default on" services?
> (Note that you can almost certainly wait until there is an attack, and
> then install the insecure service).
And if we have default on services then I think we should take a good
LOOOOOOOOOONG look at them.
> 7. And the most obvious one ... how hard is it to get a bad package into
> one of the repos. that the machine has enabled.
+many
-sv
More information about the fedora-devel-list
mailing list