Local users get to play root?
Jeff Garzik
jgarzik at pobox.com
Wed Nov 18 23:19:16 UTC 2009
On 11/18/2009 06:12 PM, Richard Hughes wrote:
> 2009/11/18 Eric Christensen<eric at christensenplace.us>:
>> Has anyone drafted a notice to go out on the Announce List explaining
>> this vulnerability? If admins don't know to fix/remove PK then they are
>> putting their systems at risk.
>
> I'm really bored of this conversation. The bikeshed is blue. There are
> much bigger problems in UNIX security than installing signed packages.
> We don't set a grub password by default.
Signed does not mean bug-free.
Further, observe the broken logic:
"Because local users might be able to break into the system with effort,
it is pointless to have any safeguards at all."
[firefox|pidgin] exploit + PackageKit == trivial remote exploit.
Jeff
More information about the fedora-devel-list
mailing list