Local users get to play root?

[Richard Hughes]

2009/11/19 Jeff Garzik <jgarzik at pobox.com>:
> 1) We should recognize this new policy departs from decades of Unix and
> Linux sysadmin experience.

Sure, it's different. It doesn't make it wrong.

> 2) F12 policy should be reverted to F11, ASAP.  Possibly with a CVE.

PolicyKit in F12 doesn't have the auth_admin (and save forever to
disk) functionality that F11 did. I think what we have in F12 is much
more usable, perhaps trading off with the perceived loss of control. I
say perceived as actually typing in a root password doesn't actually
make the system any more secure at all, less if anything.

> 3) Due to #1, F13+ should not deviate from the decades-old default.

Using that argument, we can just keep using GTK tools written in
python, that use consolehelper to run 2 million lines of code as the
root user on the users session. How wonderful.

> 4) Release notes should explain new [and after step #2, optional] policy in
> detail, including how to turn it off again.  Seth's laudable write-up
> efforts should not have been necessary -- that info should be prepared.

Sure, in retrospect I should have made a lot more noise in the release
notes, which I apologise for. The reason people didn't notice earlier
was because rawhide is unsigned, and hence all PackageKit operations
required the root password, even updating.

> 5) The people who want this new security policy should add an opt-in
> checkbox in Anaconda or firstboot.

Err, I don't think this is how we want to brand the desktop spin.
Other spins just need to ship different defaults for all the other
PolicyKit daemons too.

Also, we've not made this change upstream lightly. We've got upstream
review and policy documents which you might find useful:

http://cgit.freedesktop.org/packagekit/plain/docs/security.txt
http://cgit.freedesktop.org/packagekit/plain/docs/setting-the-proxy.txt
http://cgit.freedesktop.org/packagekit/plain/policy/org.freedesktop.packagekit.policy.in

Richard.