Re: Local users get to play root?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2009/11/18 Casey Dahlin <cdahlin@xxxxxxxxxx>:
>>> I may be wrong, but I understand that this behaviour of PackageKit
>>> only applies to users with direct console access (i.e. not remote
>>> shells). So, only users that are logged in via GDM or TTY would be
>>> able to perform such tasks.
>>>
>>
>> That's a silly thing to imply we can control. Just because firefox is running on a local console doesn't mean that a vulnerability therein has not allowed it to be ultimately controlled from elsewhere.

Okay, so someone managed to get local shell via firefox. How does
installing trusted packages further their nefarious purposes?

> Addendum: Why do you think sudo would ask an already-logged-in user for his password?

Because sudo doesn't use policykit? Because sudo gives you full root
access -- not just ability to install trusted software from trusted
repositories? Moreover, even sudo doesn't ask me again if I invoke it
within 5 minutes of using it (or however long it is).

Regards,
-- 
McGill University IT Security
Konstantin Ryabitsev
Montréal, Québec

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux