On Wed, Nov 18, 2015 at 10:49 AM, Adam Jackson <ajax@xxxxxxxxxx> wrote: > On Tue, 2015-11-17 at 17:30 +0000, Andrew Haley wrote: >> On 11/02/2015 03:05 PM, Adam Jackson wrote: >> > But, why take the risk exposure, when you could simply not? >> >> How else would I edit root-owned files? I don't get it. I mean, >> I guess I could run an editor in a text window, but I don't want to >> do that. > > That's kind of a non sequitur. To a first order, there are zero root- > owned files you need to edit routinely. And I feel pretty comfortable > calling any counterexamples bugs that need fixing. > >> And finally, it's *my computer*, dammit. > > In the threat model being described, no, it is not, there's another > agent on the system subverting your use of it. > > You are of course free to disregard that risk, or measure it in the > event and conclude it's safe enough, and in many cases it will in fact > be safe. Great, fine, that's a conclusion a consumer can come to. But > in the Fedora context we are the producer, not the consumer. Developing > an operating system means considering what is best in the general case, > and in the general case, if using the system requires a known-dangerous > configuration, we've done our job poorly. > > Phrased another way: no, it's not *your computer* we're talking about > here. The computer in question rightfully belongs to someone else; we > are here discussing how to be responsible for the code they allow us to > run on it. I don't understand. If a user who has the right to act as root asks to authorize a program to run as root on their behalf, we should grant that request. And, once we grant it, we shouldn't be passive-aggressive and say "sure you can run it, but no graphics for you!". Sure, if we want to block attacks in which an untrusted non-root program subverts the root program, then great! But we should really start by stopping attacks in which an untrusted non-root program runs sudo itself, edits .bashrc to redirect sudo to something malicious, subverts the (non-root!) terminal in which the user types sudo, etc IOW, we're solving only one tiny special case of a broad problem, and it's more annoying than helpful. --Andy -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
