PackageKit policy: background and plans
James Morris
jmorris at namei.org
Sat Nov 21 02:34:09 UTC 2009
On Fri, 20 Nov 2009, Matthew Garrett wrote:
> Actually, thinking about it, even this isn't sufficient. An attacker
> could change the ctrl+alt+F* bindings and use them to pop up a
> full-screen window that looks like the console. So you'd also need to
> set up securetty to ensure that root can only log in on real consoles.
Right. This is why we need trusted path (not just for consoles, but for
interaction generally between users and the system).
The fundamental requirements for securing our systems were outlined in a
paper by NSA researchers - "The Inevitability of Failure: The Flawed
Assumption of Security in Modern Computing Environments"
http://www.nsa.gov/research/_files/publications/inevitability.pdf
I strongly recommend that Fedora developers read this.
Some of the requirements have been addressed since the paper was published
(mostly in the area of adding Mandatory security via SELinux), although
the desktop in particular still needs work. There's been some progress,
e.g. XACE, which allows us to begin locking down the X itself (a video of
the LPC session on this is at http://video.linuxfoundation.org/video/1566).
I was hoping to see more desktop and general OS developers at the security
track of LPC -- it was mostly security folk talking to other security
folk. Certainly, I think we should try and find a way to get more
discussion happening amongst different groups next time.
FWIW, I discussed the "inevitability" requirements as part of a broader
talk on Linux security at KCA in Brisbane earlier this year; video &
slides are online:
http://namei.org/presentations/linux-kernel-security-kca09.pdf
http://www.ustream.tv/recorded/1814752
--
James Morris
<jmorris at namei.org>
More information about the fedora-devel-list
mailing list