Local users get to play root?

[Jeff Garzik]

On 11/18/2009 01:41 PM, Konstantin Ryabitsev wrote:
> 2009/11/18 Simo Sorce<ssorce at redhat.com>:
>> On Wed, 2009-11-18 at 13:19 -0500, Konstantin Ryabitsev wrote:
>>> This significantly limits the number of users with powers to install
>>> signed software -- almost to the point of where it sounds like a fair
>>> trade-off. If someone has physical access to the machine, then heck --
>>> it's not like they don't already effectively "own" it.
>>
>> Most of my users wouldn't be able to "own" it even if I let a root shell
>> open, but they would definitely be able to install or remove packages
>> using the GUI.
>>
>> The difference is huge.
>
> If I have physical access to your machine, I'll own it. I may have to
> use tools to get to the HDD, but it's only a question of time and
> dedication.
>
> Now, there can be situations where someone has access to the TTY
> console or GDM (usually when it's a VM guest or a machine behind a
> network KVM), but most often, if someone can log in on the console,
> they are sitting in front of the physical box, to which they have full
> access.

Console access is no excuse for a completely lax security policy. 
Didn't Microsoft Windows teach us all that?

In the real world(tm), hacking via console access still means there are 
a lot of hurdles you must dodge, like making noise while opening the case.

This new policy completely screws multi-user setups where (for example) 
kids are given a login to play games -- but I sure don't want them to be 
installing packages.  Now, pkgs installs for them are trivial.

The physical argument by policy proponents is the real straw man:

F12+PK lowers the security barrier from "difficult" to "a simple mouse 
click."

	Jeff