Re: Local users get to play root?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Nov 18, 2009 at 1:48 PM, Chris Adams <cmadams@xxxxxxxxxx> wrote:
>
> It seems the latest way of doing this is via PolicyKit.  IMHO all
> PolicyKit configuration should be "secure by default",

"secure" is an meaningless term without reference to a deployment
model and threat model, but let's assume here for reference that what
you mean is that the shipped RPMs should be configured to not grant
any additional privileges over that afforded to the traditional Unix
timesharing model, and then the desktop kickstart modifies them.

I would agree with that, but it's not trivial.  Are we just scoping in
PackageKit here, or also consolehelper @console actions?  Does it
imply removing the setuid bit from /bin/ping?

> Right now, I see files /usr/share/PolicyKit/policy; I guess that's where
> this kind of thing comes from.  How do I override the settings in one of
> these files?  None of them are marked "config", so I guess I don't edit
> them.  Are there other places such policy can be set?

See "man PolicyKit.conf"

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux