On 11/18/2009 06:49 PM, Seth Vidal wrote:
On Wed, 18 Nov 2009, Jon Ciesla wrote:
> nodata wrote:
>> Am 2009-11-18 18:08, schrieb nodata:
>>> Yikes! When was it decided that non-root users get to play root?
>>>
>>> Ref:
>>>
https://bugzilla.redhat.com/show_bug.cgi?id=534047
>>>
>>> This is horrible!
>>>
>>
>> Just to elaborate:
>>
>> A local user is allowed to install software on the machine without
>> being prompted for the root password.
>>
>> This is a recipe for disaster in my opinion.
>>
> So much for granting shell access on my servers. . .
You have PackageKit installed on servers? really?
Why shouldn't he? AFAIK there is nothing in the package warning users not
to install this on a server.
What is the appropriate way to audit this kind of stuff? Presuming that
PackageKit uses PolicyKit to aquire the necessary privileges is there a way
to query PolicyKit and ask "show me all instances where a process can
acquire root privileges without being asked for a password"?
I don't think it's a good idea to rely on admins knowing the magic
handshake (or in this case the magic package list of dangerous apps) for
security.
Regards,
Dennis