Re: Draft privilege escalation policy for comments

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Jan 30, 2010 at 1:20 AM, Adam Williamson <awilliam@xxxxxxxxxx> wrote:
>
> Well, reboot is a one-time operation; if there's only one user logged
> in, they can only affect themselves by rebooting. Adjusting the clock or
> installing new software isn't the same.

Ok, actually "one time" feels like there's a more general principle at
work here, which is the degree to which the operation could
potentially affect other users.

For example, there's a pretty wide gulf between "install new desktop
app" (other users see a new menu entry) and "start or stop system
daemons" (can easily break printing, networking, or just crash the.
Changing the system time is in between there.

The reason I mention this specifically I'd like in the future to widen
this set a little bit for the "self managed" desktop target (i.e.
livecd download), specifically include at least "install new desktop
application from " and "initiate system update" in that set of default
privileges.

Maybe the way to think of system update is that the system comes by
default configured to update, and the privilege is actually to
optionally delay the update.

I think it's very important that we make typing in the root password
dialog a meaningful event, something that means "you are doing
something really unusual, are you sure?", like turning off SELinux.
If we require it for simply installing Firefox security updates it
greatly dilutes the warning/danger value of it.

So as long as we don't view this current list as written on stone
tablets but a flexible system (more in the sense of
guidelines/examples), subject to revision, I'm fine with it.
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux