PackageKit policy: background and plans
Conrad Meyer
cemeyer at u.washington.edu
Fri Nov 20 19:45:17 UTC 2009
On Friday 20 November 2009 12:33:20 am James Morris wrote:
> On Thu, 19 Nov 2009, Conrad Meyer wrote:
> > > I think it's fair to say that having this happen as root would
> > > generally be worse than it happening as an unprivileged user. For the
> > > latter, the attacker would need to also then succeed with a local
> > > privilege escalation attack to the same effect.
> >
> > On the contrary. On the typical single user system, it's just as bad if
> > an attacker can steal / delete / modify the user's files as it is if the
> > attacker can modify / delete system files. Privilege escalation isn't
> > needed to delete everything the single user cares about.
>
> Note that I said generally.
>
> ...
>
> There are many possible scenarios where an attacker would want more
> privileged access to the system, e.g. install rootkits/firmware kits,
> modify firewall settings, run network services, attack other systems,
> evade detection etc. IOW, the current landscape of windows malware,
> data-stealing worms, botnets and so on.
>
> Getting root access is much more valuable in the general case.
>
> There are also the separate issues, as I mentioned subsequently, of
> increasing the attack surface, breaking the MAC model, and executing at
> full system privilege (also, without further authorization).
>
> I think we're throwing away a lot of well-established security benefit in
> moving away from the simple model of using a root/wheel account (or sudo)
> for admin and a separate user account for everything else.
I agree with this.
--
Conrad Meyer <cemeyer at u.washington.edu>
More information about the fedora-devel-list
mailing list