PackageKit policy: background and plans
Stephen John Smoogen
smooge at gmail.com
Sat Nov 21 02:43:58 UTC 2009
On Fri, Nov 20, 2009 at 7:19 PM, James Morris <jmorris at namei.org> wrote:
> On Fri, 20 Nov 2009, Matthew Garrett wrote:
>
>> I know basically nobody who, on a generally single user system,
>> explicitly switches to a console to log in as root and perform package
>> installs there.
>
> This is how I started doing things in 1993, although I changed to sudo a
> few years back.
I also do it. I usually use the graphical tool once or twice a release
and then find myself not able to do something that yum lets me do
automatically so go back to just yum. Then again I have been doing it
this way for about as long as James Morris. I find myself completely
frustrated trying to do stuff on a Mac or Windows box when the gui is
just spinning and I have no idea a) is it installing, b) is it
crashing etc.
>> > - The local session has a new means to execute in a high privilege
>> > context, i.e. that which is required to install the system itself.
>> > This is a problem alone -- everything which runs in this context is
>> > now a prime attack target.
>>
>> I don't think I'd agree with that. The common case for F10 and F11 will
>> be for people to have installed a package once with the root password
>> and then ticked the "Remember authentication" box. At that point, we
>> have the same security exposure as we do with F12 (again, concentrating
>> on the single-user machine case).
>
> I never tick those boxes. I'd like to know how to get rid of them
> entirely.
I agree.. the corporate/government places I have dealt with usually
have to hack the code to get rid of it because it violates so many
policies its not funny.
>> I definitely agree that there's a whole range of cases where this isn't
>> the behaviour you want. But for the vast majority of our users, I don't
>> think there's a real security issue here.
I think the vast majority of users would love everything to run like
it was under Windows95 when you could just click on something and it
worked without a password or login or anything. For the envisioned
'desktop' model is there a reason to have multiple users for the
default? Is there a reason to have anything but root?
Actually I am asking this in seriousness versus grumpiness. A general
security policy needs to know why certain things are set beyond
ancient Unix history.
> Are we moving toward a model where the user and the administrator are no
> longer really separated? Things seem to be regressing according to
> whatever use-case some desktop developer thinks is important at the time.
--
Stephen J Smoogen.
Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning
More information about the fedora-devel-list
mailing list