Re: Local users get to play root?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bill Nottingham wrote:
> Eric Christensen (eric@xxxxxxxxxxxxxxxxxxx) said: 
>>> It's a behavior change, for sure. For people who want to lock down their
>>> systems, it's a default they will need to be able to change, and they
>>> should have been able to discover it through the normal mechanisms for
>>> that. (i.e., the release notes.). It likely should have been discussed
>>> when it was introduced - it's obviously not something that's applicable
>>> to all usage cases for the OS.
>> You are assuming that the users have physical access to the box and also
>> know how to get a root shell and that the box hasn't been hardened
>> (before the PK vulnerability was known).
> 
> Sure, I said 'out of the box'. Out of the box none of those other
> hardening steps are done either, which is why if this is a policy
> that we want, it should be documented as a hardening step that can
> be taken.
> 
> Bill
> 

It would seem that a middle ground could be struck here. Why not set the
default to require admin privileges, and once the credentials have been
established provide a check box user choice to change to the behavior
that doesn't require privileges.

That way, out of the box it's a little more locked down, but easily
changeable. This is a common UI pattern that you can see in many
applications that have security implications... Firefox is a primary
example.

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux