On Wed, 2009-11-18 at 19:23 -0500, Bill Nottingham wrote: > Jeff Garzik (jgarzik@xxxxxxxxx) said: > > Sorry, but this default (desktop users can install pkgs without > > root) is just stupid. It is antithetical to all standard security > > models that have come before in Fedora and other Linux > > distributions. > > Out of the box, a desktop user has the ability to shut down the machine. > This gives them the ability, out of the box, to: > - DoS everyone on it > - get a root shell > -- install whatever they want > -- put viruses on > - hell, slap in a livecd or USB key and reinstall the box > > It's a behavior change, for sure. For people who want to lock down their > systems, it's a default they will need to be able to change, and they > should have been able to discover it through the normal mechanisms for > that. (i.e., the release notes.). It likely should have been discussed > when it was introduced - it's obviously not something that's applicable > to all usage cases for the OS. > > But really, given that users out of the box can do *far far worse*, I'm > not seeing the 'shameful', 'antithetical', OMG THE SKY IS FALLING AND > YOU ALL SHOULD BE DRAWN AND QUARTERED sort of angst. Maybe people are > tired of bagging tea and want new things to be outraged about. > > Bill > Bill, You are assuming that the users have physical access to the box and also know how to get a root shell and that the box hasn't been hardened (before the PK vulnerability was known). PackageKit is something right there on the desktop that, to its credit, needs little knowledge to use whereas many of your attack vectors noted above are generally fixed in my shop by use of a kickstart and securing the box from physical access and require a higher skill to perform. I'm not saying this new "functionality" in PK is necessarily bad but it should have been easily ENABLED (not by default) by an admin with root privileges. Of course, in my thought process, now, PK should probably not be installed on systems where users shouldn't have unrestricted access to the repo. --Eric
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
