Local users get to play root?

Jeff Garzik jgarzik at pobox.com
Thu Nov 19 00:43:04 UTC 2009


On 11/18/2009 07:37 PM, Colin Walters wrote:
> On Wed, Nov 18, 2009 at 7:36 PM, Jeff Garzik<jgarzik at pobox.com>  wrote:
>
>> And it ignores that remote exploits are now much easier, because remote
>> non-root exploit + package install == remote root exploit.
>
> No, the uid needs to have logged in through a physical console.


See references in multiple mails to firefox, pidgin, and any number of 
other example applications run by a uid logged in through a physical 
console.

Web browsers -- especially with bin-only flash -- are the most likely 
vector for remote exploits these days.  Far more so than any system daemon.

There are Real Good(tm) reasons why Firefox complains, if your Flash 
plug-in is out of date, even on Linux...

	Jeff






More information about the fedora-devel-list mailing list