Local users get to play root?
Seth Vidal
skvidal at fedoraproject.org
Wed Nov 18 20:30:58 UTC 2009
On Wed, 18 Nov 2009, nodata wrote:
> Am 2009-11-18 21:27, schrieb Seth Vidal:
>>
>>
>>> 2009/11/18 nodata <lsof at nodata.co.uk>:
>>>> Am 2009-11-18 20:20, schrieb Richard Hughes:
>>>>>
>>>>> 2009/11/18 Casey Dahlin<cdahlin at redhat.com>:
>>>>>>
>>>>>> By the admin's first opportunity to change the settings the box could
>>>>>> already be rooted.
>>>>>
>>>>> I'm not sure how you can root a computer from installing signed
>>>>> content by a user that already has physical access to the machine.
>>>>
>>>> You install software with a known buffer overflow before it is fixed and
>>>> exploit it. More software = more chances to exploit. Bingo!
>>>
>>> If a user logged in from a physical local console wanted to exploit
>>> their machine, this would be the hard way to do it.
>>
>>
>> So here is what I've just gotten from talking to Ray Strode and reading
>> docs.
>>
>> if you want to disable this just run:
>>
>> pklalockdown --lockdown org.freedesktop.packagekit.package-install
>>
>> that will keep anyone from installing pkgs w/o authenticating as admin.
>>
>>
>> That's the short version.
>>
>> the long version I'm working on writing up right now.
>>
>> -sv
>
> Thanks for this. Does this need to be run as root? :)
yes :)
-sv
More information about the fedora-devel-list
mailing list