Local users get to play root?
TK009
john.brown009 at gmail.com
Wed Nov 18 20:57:43 UTC 2009
On 11/18/2009 03:27 PM, Seth Vidal wrote:
>
>
>> 2009/11/18 nodata <lsof at nodata.co.uk>:
>>> Am 2009-11-18 20:20, schrieb Richard Hughes:
>>>>
>>>> 2009/11/18 Casey Dahlin<cdahlin at redhat.com>:
>>>>>
>>>>> By the admin's first opportunity to change the settings the box could
>>>>> already be rooted.
>>>>
>>>> I'm not sure how you can root a computer from installing signed
>>>> content by a user that already has physical access to the machine.
>>>
>>> You install software with a known buffer overflow before it is fixed
>>> and
>>> exploit it. More software = more chances to exploit. Bingo!
>>
>> If a user logged in from a physical local console wanted to exploit
>> their machine, this would be the hard way to do it.
>
>
> So here is what I've just gotten from talking to Ray Strode and
> reading docs.
>
> if you want to disable this just run:
>
> pklalockdown --lockdown org.freedesktop.packagekit.package-install
>
> that will keep anyone from installing pkgs w/o authenticating as admin.
>
>
> That's the short version.
>
> the long version I'm working on writing up right now.
>
> -sv
>
Thanks for this Seth
TK009
More information about the fedora-devel-list
mailing list