On 11/18/2009 02:44 PM, Konstantin Ryabitsev wrote: > 2009/11/18 Casey Dahlin <cdahlin@xxxxxxxxxx>: >>>> I may be wrong, but I understand that this behaviour of PackageKit >>>> only applies to users with direct console access (i.e. not remote >>>> shells). So, only users that are logged in via GDM or TTY would be >>>> able to perform such tasks. >>>> >>> >>> That's a silly thing to imply we can control. Just because firefox is running on a local console doesn't mean that a vulnerability therein has not allowed it to be ultimately controlled from elsewhere. > > Okay, so someone managed to get local shell via firefox. How does > installing trusted packages further their nefarious purposes? > >> Addendum: Why do you think sudo would ask an already-logged-in user for his password? > > Because sudo doesn't use policykit? Because sudo gives you full root > access -- not just ability to install trusted software from trusted > repositories? Moreover, even sudo doesn't ask me again if I invoke it > within 5 minutes of using it (or however long it is). > > Regards, But why is it neccesary? That was more my point. The answer is: because being associated with a login on the local console doesn't verify that it is a /user/ in control. --CJD -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
