Re: Local users get to play root?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11/18/2009 07:34 PM, Jeff Garzik wrote:

On 11/18/2009 07:23 PM, Bill Nottingham wrote:

Jeff Garzik (jgarzik@xxxxxxxxx) said:

Sorry, but this default (desktop users can install pkgs without
root) is just stupid. It is antithetical to all standard security
models that have come before in Fedora and other Linux
distributions.


Out of the box, a desktop user has the ability to shut down the machine.
This gives them the ability, out of the box, to:
- DoS everyone on it
- get a root shell
-- install whatever they want
-- put viruses on
- hell, slap in a livecd or USB key and reinstall the box


How is any of that justification for lowering the security bar to zero?

All of those you list are more technically complex than the current F12
behavior -- letting the kids or guests click a button.
And it ignores that remote exploits are now much easier, because remote non-root exploit + package install == remote root exploit. 

	Jeff



--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux