PackageKit policy: background and plans
James Morris
jmorris at namei.org
Sun Nov 22 22:58:34 UTC 2009
On Sat, 21 Nov 2009, Matthew Garrett wrote:
> > worked without a password or login or anything. For the envisioned
> > 'desktop' model is there a reason to have multiple users for the
> > default? Is there a reason to have anything but root?
>
> Yes. There's a range of acts that root is able to perform that even an
> admin user should not be able to perform without extra authentication.
> It's not even necessarily related to security - I don't want a bug in
> firefox resulting in it trying to write to /dev/sda rather than a file
> in my home directory, for instance.
This needs to be enforced at the OS level, with an analyzable policy, so
you can determine if this is possible or not. "Install all signed
packages from a Fedora repository" may indeed include the ability to write
to /dev/sda -- nobody really knows and you have no way to find out.
Also, it should certainly be possible while the operation is running at
full privilege.
- James
--
James Morris
<jmorris at namei.org>
More information about the fedora-devel-list
mailing list