On 22/12/07 18:00, "fedora-security-list-request@xxxxxxxxxx" <fedora-security-list-request@xxxxxxxxxx> wrote: > Message: 1 > Date: Fri, 21 Dec 2007 10:13:21 -0700 > From: Kevin Fenzi <kevin@xxxxxxxxx> > Subject: Re: Security Changes For Fedora 9 > To: fedora-security-list@xxxxxxxxxx > Message-ID: <20071221101321.1fd1d3aa@xxxxxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset="us-ascii" > > On Thu, 20 Dec 2007 19:29:29 -0800 (PST) > riley.marquis@xxxxxxxxxxxxxxx wrote: > >> Security Updates For Fedora 9 >> >> Greetings! > > Greetings. Greetings, indeed. >> 1: Disable root account / Use Sudo > > There are tradeoffs here. I personally would like to see it continue to > be enabled until we can figure out more of the issues around disabling > it. As long as enabling root is as simple as setting a root password or some other simple and automatable procedure I don't care. But for large scale remote administration you need direct root access via key-based ssh. >> 4: GCC Lockdowns >> With the new GCC-4.3.0 recently built for Fedora 9, we should forbid >> ordinary users access to the programs it contains, incl. rpmbuild, >> mock, etc. Only members of the wheel, koji, and mock groups should >> have access to software development tools. Did I miss any groups >> that should be allowed access? > > I would also say this is a bad idea. We want people to use the tools on > the machine, don't we? We do indeed. In general, limiting access to tools which don't affect the system you're working on causes issues. There are always users arguing for root access or against centralised admin setups, often the very users who shouldn't have any sort of access to anything. Limiting access to stuff simply because it can be done is one of the things that triggers them, and the more tools this happens to the more likely it is that someone will forget to open up what should have been open in the first place. Bjørn -- Bjørn Tore Sund Phone: 555-84894 Email: bjorn.sund@xxxxxxxxx IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
