Re: Initial draft of privilege escalation policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Once upon a time, Adam Williamson <awilliam@xxxxxxxxxx> said:
> I was being hand-wavy. :) Spot's blog says 'anything in /var/log', which
> isn't a bad definition, I guess. Can you think of anything better?

Users can write to (or cause entries to be appended to) any syslog log
files, since syslog listens on a socket (I don't think there's a way to
limit that).

One thing that jumps out at me about the way the policy is worded is
that it defines what is restricted (what you can't do) instead of what
is allowed (what you can do).  This seems backwards to me; you'll always
be chasing some new thing that somebody implemented (e.g. the PackageKit
change that brought this about) that wasn't previously restricted.

If you define the only things that are allowed (e.g. "change own
password", "admin user install packages" (once "admin user" is defined),
and so on), then anything not explicitly allowed is "bad".  If somebody
wants to implement something new (e.g. PackageKit), they need to get a
policy change approved.

When it comes to security, you want to define what is okay and assume
everything else is not okay; trying to think of all the not-okay things
in advance usually fails.
-- 
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
-- 
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe: 
https://admin.fedoraproject.org/mailman/listinfo/test

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux