Local users get to play root?

Eric Christensen eric at christensenplace.us
Thu Nov 19 00:35:00 UTC 2009 

On Wed, 2009-11-18 at 19:23 -0500, Bill Nottingham wrote:
> Jeff Garzik (jgarzik at pobox.com) said: 
> > Sorry, but this default (desktop users can install pkgs without
> > root) is just stupid.  It is antithetical to all standard security
> > models that have come before in Fedora and other Linux
> > distributions.
> 
> Out of the box, a desktop user has the ability to shut down the machine.
> This gives them the ability, out of the box, to:
> - DoS everyone on it
> - get a root shell
> -- install whatever they want
> -- put viruses on
> - hell, slap in a livecd or USB key and reinstall the box
> 
> It's a behavior change, for sure. For people who want to lock down their
> systems, it's a default they will need to be able to change, and they
> should have been able to discover it through the normal mechanisms for
> that. (i.e., the release notes.). It likely should have been discussed
> when it was introduced - it's obviously not something that's applicable
> to all usage cases for the OS.
> 
> But really, given that users out of the box can do *far far worse*, I'm
> not seeing the 'shameful', 'antithetical', OMG THE SKY IS FALLING AND
> YOU ALL SHOULD BE DRAWN AND QUARTERED sort of angst. Maybe people are
> tired of bagging tea and want new things to be outraged about.
> 
> Bill
> 

Bill,
You are assuming that the users have physical access to the box and also
know how to get a root shell and that the box hasn't been hardened
(before the PK vulnerability was known).

PackageKit is something right there on the desktop that, to its credit,
needs little knowledge to use whereas many of your attack vectors noted
above are generally fixed in my shop by use of a kickstart and securing
the box from physical access and require a higher skill to perform.

I'm not saying this new "functionality" in PK is necessarily bad but it
should have been easily ENABLED (not by default) by an admin with root
privileges.

Of course, in my thought process, now, PK should probably not be
installed on systems where users shouldn't have unrestricted access to
the repo.

--Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20091118/d6be1b84/attachment.sig>

More information about the fedora-devel-list mailing list