Local users get to play root?

Mike McGrath mmcgrath at redhat.com
Thu Nov 19 00:45:05 UTC 2009


On Wed, 18 Nov 2009, Jeff Garzik wrote:

> On 11/18/2009 07:23 PM, Bill Nottingham wrote:
> > Jeff Garzik (jgarzik at pobox.com) said:
> > > Sorry, but this default (desktop users can install pkgs without
> > > root) is just stupid.  It is antithetical to all standard security
> > > models that have come before in Fedora and other Linux
> > > distributions.
> >
> > Out of the box, a desktop user has the ability to shut down the machine.
> > This gives them the ability, out of the box, to:
> > - DoS everyone on it
> > - get a root shell
> > -- install whatever they want
> > -- put viruses on
> > - hell, slap in a livecd or USB key and reinstall the box
>
> How is any of that justification for lowering the security bar to zero?
>

We haven't lowered the security bar to zero.  We don't mount home dirs
noexec by default[1] so on the security level we're only talking about
security vulnerabilities to suid packages.  All of which could be
installed via a reboot and grub changes *and* would require a
vulnerability in that package, something we're very quick to fix.  Though
keeping N and N-1 versions on the mirror is a security vulnerability as
the old version could always be pulled in.

> All of those you list are more technically complex than the current F12
> behavior -- letting the kids or guests click a button.
>

It also lets them keep the system up to date, there's an argument to be
made here that this aspect is more secure.

> IFF this feature was listed as a question in firstboot, and
> IFF this feature was explained in detail in release notes, then there would
> have been no problem at all...
>

I tend to agree with this.  I believe this is similar to how ubuntu does
it with some sort of opt-in.

> You also omitted the case where admins of servers upgrade into a less secure
> policy.  PackageKit presence does not imply desktop user.
>

I think you'd find your arguments would be better received if you weren't
so dramatic about it.  Stick with the facts, be clear about what you're
trying to accomplish (changing it back in F13?  Changing it back in F12?
Setting a policy so stuff like this doesn't happen again?)

	-Mike

[1]  Talking about something as simple as rpm2cpio here




More information about the fedora-devel-list mailing list