On 7/3/20 1:57 PM, ToddAndMargo via users wrote:
On 2020-07-03 13:07, Samuel Sieb wrote:
On 7/3/20 12:53 PM, ToddAndMargo via users wrote:
Oh of interest, Xfce Pol kit has a YUGE security hole that I
reported a while back that has yet to be addressed:
xfce pol kit lets others sneak in
https://github.com/ncopa/xfce-polkit/issues/5
That's not a huge security hole and it doesn't let others sneak in
unless they have access to your user for some reason. That's also
standard behaviour for sudo.
So basically, if I enter the root password once into the
pol kit, the pol kit allows me to run as many more
root only commands as a stand user as I want for the
next two minutes.
How in the world is that not a security hole?
Why would it be? You just authenticated yourself. Why is it a problem
to let you stay authenticated for a few minutes? What do you think
could happen?
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx