On Fri, Nov 20, 2009 at 7:19 PM, James Morris <jmorris@xxxxxxxxx> wrote: > On Fri, 20 Nov 2009, Matthew Garrett wrote: > >> I know basically nobody who, on a generally single user system, >> explicitly switches to a console to log in as root and perform package >> installs there. > > This is how I started doing things in 1993, although I changed to sudo a > few years back. I also do it. I usually use the graphical tool once or twice a release and then find myself not able to do something that yum lets me do automatically so go back to just yum. Then again I have been doing it this way for about as long as James Morris. I find myself completely frustrated trying to do stuff on a Mac or Windows box when the gui is just spinning and I have no idea a) is it installing, b) is it crashing etc. >> > - The local session has a new means to execute in a high privilege >> > context, i.e. that which is required to install the system itself. >> > This is a problem alone -- everything which runs in this context is >> > now a prime attack target. >> >> I don't think I'd agree with that. The common case for F10 and F11 will >> be for people to have installed a package once with the root password >> and then ticked the "Remember authentication" box. At that point, we >> have the same security exposure as we do with F12 (again, concentrating >> on the single-user machine case). > > I never tick those boxes. I'd like to know how to get rid of them > entirely. I agree.. the corporate/government places I have dealt with usually have to hack the code to get rid of it because it violates so many policies its not funny. >> I definitely agree that there's a whole range of cases where this isn't >> the behaviour you want. But for the vast majority of our users, I don't >> think there's a real security issue here. I think the vast majority of users would love everything to run like it was under Windows95 when you could just click on something and it worked without a password or login or anything. For the envisioned 'desktop' model is there a reason to have multiple users for the default? Is there a reason to have anything but root? Actually I am asking this in seriousness versus grumpiness. A general security policy needs to know why certain things are set beyond ancient Unix history. > Are we moving toward a model where the user and the administrator are no > longer really separated? Things seem to be regressing according to > whatever use-case some desktop developer thinks is important at the time. -- Stephen J Smoogen. Ah, but a man's reach should exceed his grasp. Or what's a heaven for? -- Robert Browning -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
