Re: Local users get to play root?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Once upon a time, Rahul Sundaram <sundaram@xxxxxxxxxxxxxxxxx> said:
> .. if the packages are signed and from a signed repository. So, you left
> out the important part. Explain why this is a problem in a bit more
> detail.

Fedora has made a big push into the multi-user desktop (which many home
computers are now) with things like fast user switching.  In many such
setups, not all users are considered "administrators" of the system
(think parents and kids for example).  However, Fedora continues to slip
in (with no announcement and no documentation on how to change) things
that allow the console user to be an administrator without any
additional authentication.

The answer here has been "well root should lock it down".  With the
ever-increasing complexity of the system, it is becoming more difficult
than ever to find (or even know about) all of the ways a system musth be
locked down.  "find / -perm +6000" doesn't cut it anymore, but there's
no documentation of all the ways a regular user can do administrative
tasks without an administrative password.

It seems the latest way of doing this is via PolicyKit.  IMHO all
PolicyKit configuration should be "secure by default", and then desktop
spins can include overrides in /etc to loosen-up security where desired.
This would also make it much easier to find and clearer to see what
might should be changed for local policy.

Right now, I see files /usr/share/PolicyKit/policy; I guess that's where
this kind of thing comes from.  How do I override the settings in one of
these files?  None of them are marked "config", so I guess I don't edit
them.  Are there other places such policy can be set?

-- 
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux