On Wed, 2010-01-20 at 09:09 -0500, Matthias Clasen wrote: > > The policy requires that any code which allows a user to perform, or > > cause to be performed, certain actions must require authentication > as > > the root user prior to the action being carried out. The actions > are: > > This does not seem right. While we want a standard, unprivileged user > to > not be able to do these things, we very much want to define an > 'Administrator' role that can be assigned to users other than root and > that will enable them to do many of these things by just > authenticating > as themselves, not as root. > The policy should be worded in a way that makes it clear that this is > allowed. (apologies for the erratic line wrapping, seems to be a bug in Rawhide evolution). Right, spot had a little note to that effect in the blog post, I forgot to reproduce it in the policy. Will update. > > * Add, remove, upgrade or downgrade any system-wide application or > > shared resource (packaged or otherwise) > > I don't see how a Fedora policy can apply to non-packaged resources; > other than the fact that those resources will be subject to normal > access control (e.g. file permissions). The envisaged situation is a *packaged* application which is built in such a way that it would allow an unprivileged user to cause a binary to be stuck in /usr/bin , or a library in /usr/lib , or whatever - whether that is by the installation of another Fedora package, or just by the application going out and downloading it and dumping it there itself. > > * Read or write directly to or from system memory (with the > exception > > that the 'cause to be performed' provision is waived in this case) > > This seems entirely too vague to make sense. What does 'system memory' > mean here ? Actually I sort of agree. :) Spot, are you reading? Can you clarify? This came straight from spot's post. > > * Start or stop system daemons > > With the exception of daemons that are autostarted D-Bus system bus > services... Will add. > > * Edit system-wide configuration files > > Seems clear enough on the face of it, but is /etc/passwd a system-wide > configuration file ? Users do edit that by changing e.g. their > password. Well, see the definition of 'system-wide' further down. This particular use would be excepted because it doesn't affect any other user. > > * Write to system logs (with the exception that the 'cause to be > > performed' provision is waived in this case) > > Huh ? The mere fact of me logging in will cause system logs to be > written... Hence the bit in brackets. It says that the language about 'cause to be performed' is waived for this case; i.e., this rule only means that users should not be able to write *directly* to system logs. Performing actions which cause system processes to write to system logs is of course fine. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
