Local users get to play root?

Kevin Kofler kevin.kofler at chello.at
Fri Nov 20 00:01:19 UTC 2009 

Richard Hughes wrote:

> 2009/11/19 Jeff Garzik <jgarzik at pobox.com>:
>> 1) We should recognize this new policy departs from decades of Unix and
>> Linux sysadmin experience.
> 
> Sure, it's different. It doesn't make it wrong.

But the real issues which have been pointed out do.

>> 2) F12 policy should be reverted to F11, ASAP.  Possibly with a CVE.
> 
> PolicyKit in F12 doesn't have the auth_admin (and save forever to
> disk) functionality that F11 did.

PackageKit can make remembering the authorization work without that feature. 
Or do you see any reason why:
https://bugzilla.redhat.com/show_bug.cgi?id=534047#c141
would not work?
(That said, I also blame PolicyKit for this apparently intentional 
regression.)

> I think what we have in F12 is much more usable, perhaps trading off with
> the perceived loss of control.

I think you just picked the easy way out without realizing the consequences 
and are now spitting out bullsh*t to make us believe that decision made 
sense.

> I say perceived as actually typing in a root password doesn't actually
> make the system any more secure at all, less if anything.

How is it less secure to only allow users knowing the root password (i.e. 
presumably the administrator(s) of the machine; if somebody else knows the 
root password, you have a big problem!) to install packages on their system 
on their own than to allow everyone and their dog to do it just because they 
happen to be sitting at the keyboard?

>> 3) Due to #1, F13+ should not deviate from the decades-old default.
> 
> Using that argument, we can just keep using GTK tools written in
> python, that use consolehelper to run 2 million lines of code as the
> root user on the users session. How wonderful.

That's a strawman. It wasn't his argument at all.

> Err, I don't think this is how we want to brand the desktop spin.
> Other spins just need to ship different defaults for all the other
> PolicyKit daemons too.

If anything, the GNOME desktop spin should be the one customizing the 
policy, the default should be secure. But I don't consider this default 
appropriate even for that one spin.

> Also, we've not made this change upstream lightly. We've got upstream
> review and policy documents which you might find useful:
> 
> http://cgit.freedesktop.org/packagekit/plain/docs/security.txt
> http://cgit.freedesktop.org/packagekit/plain/docs/setting-the-proxy.txt
> 
http://cgit.freedesktop.org/packagekit/plain/policy/org.freedesktop.packagekit.policy.in

And still you failed to realize the obvious issues with this change?

        Kevin Kofler

More information about the fedora-devel-list mailing list