On Friday 20 November 2009 12:33:20 am James Morris wrote: > On Thu, 19 Nov 2009, Conrad Meyer wrote: > > > I think it's fair to say that having this happen as root would > > > generally be worse than it happening as an unprivileged user. For the > > > latter, the attacker would need to also then succeed with a local > > > privilege escalation attack to the same effect. > > > > On the contrary. On the typical single user system, it's just as bad if > > an attacker can steal / delete / modify the user's files as it is if the > > attacker can modify / delete system files. Privilege escalation isn't > > needed to delete everything the single user cares about. > > Note that I said generally. > > ... > > There are many possible scenarios where an attacker would want more > privileged access to the system, e.g. install rootkits/firmware kits, > modify firewall settings, run network services, attack other systems, > evade detection etc. IOW, the current landscape of windows malware, > data-stealing worms, botnets and so on. > > Getting root access is much more valuable in the general case. > > There are also the separate issues, as I mentioned subsequently, of > increasing the attack surface, breaking the MAC model, and executing at > full system privilege (also, without further authorization). > > I think we're throwing away a lot of well-established security benefit in > moving away from the simple model of using a root/wheel account (or sudo) > for admin and a separate user account for everything else. I agree with this. -- Conrad Meyer <cemeyer@xxxxxxxxxxxxxxxx> -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
