On 11/18/2009 06:49 PM, Seth Vidal wrote:
On Wed, 18 Nov 2009, Jon Ciesla wrote:
nodata wrote:
Am 2009-11-18 18:08, schrieb nodata:
Yikes! When was it decided that non-root users get to play root?
Ref:
https://bugzilla.redhat.com/show_bug.cgi?id=534047
This is horrible!
Just to elaborate:
A local user is allowed to install software on the machine without
being prompted for the root password.
This is a recipe for disaster in my opinion.
So much for granting shell access on my servers. . .
You have PackageKit installed on servers? really?
Why shouldn't he? AFAIK there is nothing in the package warning users not
to install this on a server.
What is the appropriate way to audit this kind of stuff? Presuming that
PackageKit uses PolicyKit to aquire the necessary privileges is there a way
to query PolicyKit and ask "show me all instances where a process can
acquire root privileges without being asked for a password"?
I don't think it's a good idea to rely on admins knowing the magic
handshake (or in this case the magic package list of dangerous apps) for
security.
Regards,
Dennis
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
