On Tue, 2009-02-24 at 08:18 -0600, Chris Adams wrote: > Once upon a time, Chris Adams <cmadams@xxxxxxxxxx> said: > > What mechanism is there to keep track of these policies? There should > > be a Fedora policy to control RPMs adding new policies to PolicyKit. As > > a system admin, I look for setuid/setgid binaries and open sockets, but > > now there's a new method to bypass that for root-level access. > > As a follow-up, I see on F10 that a user can also increase their process > priority level (which is normally a privilege reserved for root). This > is often useful in timing attacks and should not be allowed. > > If I'm reading the policy right, users can change PackageKit proxy > settings and force a refresh of metadata. How much has PackageKit's > (and yum's) code been audited for security? If I can point it at a > proxy and force it to download data, how secure is it against attack > (e.g. via corrupted data)? > Can we please try to stay realistic here. We are talking about default settings for a desktop system, where users are expected to be able to update their systems. -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
