Draft privilege escalation policy for comments
Adam Williamson
awilliam at redhat.com
Mon Feb 1 23:18:47 UTC 2010
On Sat, 2010-01-30 at 10:31 -0500, Colin Walters wrote:
> On Sat, Jan 30, 2010 at 1:20 AM, Adam Williamson <awilliam at redhat.com> wrote:
> >
> > Well, reboot is a one-time operation; if there's only one user logged
> > in, they can only affect themselves by rebooting. Adjusting the clock or
> > installing new software isn't the same.
>
> Ok, actually "one time" feels like there's a more general principle at
> work here, which is the degree to which the operation could
> potentially affect other users.
As it says in the second paragraph:
"An unprivileged user without administrative authentication must not be
able to change the behavior of the system "as a whole" (as viewed by
other users or by network clients), unless the system behavior is
intended to be dependent on the actions of the unprivileged user."
> For example, there's a pretty wide gulf between "install new desktop
> app" (other users see a new menu entry) and "start or stop system
> daemons" (can easily break printing, networking, or just crash the.
> Changing the system time is in between there.
> The reason I mention this specifically I'd like in the future to widen
> this set a little bit for the "self managed" desktop target (i.e.
> livecd download), specifically include at least "install new desktop
> application from " and "initiate system update" in that set of default
> privileges.
>From the Requirements preamble:
"In the case of an approved Fedora spin which automatically grants
administrative privileges to the first created user account,
authentication as that user can be considered administrative
authentication."
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
More information about the devel
mailing list