Local users get to play root?

Eric Christensen eric at christensenplace.us
Wed Nov 18 23:07:59 UTC 2009


On Wed, 2009-11-18 at 18:03 -0500, Jeff Garzik wrote:
> On 11/18/2009 05:51 PM, Rahul Sundaram wrote:
> > On 11/19/2009 04:19 AM, Richard Hughes wrote:
> >> 2009/11/18 Seth Vidal<skvidal at fedoraproject.org>:
> >>> Richard,
> >>>   to be fair, when I asked you how to edit a .pkla file you couldn't tell me.
> >>> So, if our engineers don't know the basics, how should our users?
> >>
> >> Fair comment. Release notes additions might be good in this regard.
> >
> > It should have been announced and documented with the rationale for the
> > change *before* the release. Just pretending that everyone should know
> > about how PolicyKit works when documentation is just lacking doesn't cut
> > it. You didn't even respond to by bugzilla comment and just closed the
> 
> Agreed 100.1%.
> 
> 
> > bug. We will still do a post-release update for the release notes now
> > but that's scrambling to minimize damage.
> 
> The only thing that will fix the damage is to update PK, reverting the 
> default-insecure policy.
> 
> May I remind folks that it is easy to UPGRADE INTO INSECURITY here. 
> Admins with servers, coming from F10/F11, can very easily fall into this 
> trap simply by updating their current systems.
> 
> 	Jeff

Has anyone drafted a notice to go out on the Announce List explaining
this vulnerability?  If admins don't know to fix/remove PK then they are
putting their systems at risk.

--Eric

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20091118/764a01a2/attachment.sig>


More information about the fedora-devel-list mailing list