Re: Security policy oversight needed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Gregory Maxwell wrote:
> The time configuration policy is actually a fantastic example of this:
> After it was pointed out that any user could change the time
> willy-nilly the complaint was disregarded and denied by many because
> the dialog *did* ask for a password, as would be the classic unix
> security model expectation. Except… it was asking for the *users*
> password rather than a root password— so if you happen to know both
> (or if they are the same) you could test it and fail to realize that
> it was violating the long-standing expectation.

FWIW, upstream KDE requires root authentication to set the current time, and 
in fact one usage (the one usage? I haven't found others so far) of KAuth in 
KDE 4.4 will be to use PolicyKit to prompt for the root password (KDE 4.3 
uses kdesu there). So now we also have inconsistent system policies, with 
one tool explicitly prompting for root and another one not doing it. :-(

        Kevin Kofler

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux