On Wed, Nov 18, 2015 at 10:49 AM, Adam Jackson ajax@redhat.com wrote:
On Tue, 2015-11-17 at 17:30 +0000, Andrew Haley wrote:
On 11/02/2015 03:05 PM, Adam Jackson wrote:
But, why take the risk exposure, when you could simply not?
How else would I edit root-owned files? I don't get it. I mean, I guess I could run an editor in a text window, but I don't want to do that.
That's kind of a non sequitur. To a first order, there are zero root- owned files you need to edit routinely. And I feel pretty comfortable calling any counterexamples bugs that need fixing.
And finally, it's *my computer*, dammit.
In the threat model being described, no, it is not, there's another agent on the system subverting your use of it.
You are of course free to disregard that risk, or measure it in the event and conclude it's safe enough, and in many cases it will in fact be safe. Great, fine, that's a conclusion a consumer can come to. But in the Fedora context we are the producer, not the consumer. Developing an operating system means considering what is best in the general case, and in the general case, if using the system requires a known-dangerous configuration, we've done our job poorly.
Phrased another way: no, it's not *your computer* we're talking about here. The computer in question rightfully belongs to someone else; we are here discussing how to be responsible for the code they allow us to run on it.
I don't understand. If a user who has the right to act as root asks to authorize a program to run as root on their behalf, we should grant that request. And, once we grant it, we shouldn't be passive-aggressive and say "sure you can run it, but no graphics for you!".
Sure, if we want to block attacks in which an untrusted non-root program subverts the root program, then great! But we should really start by stopping attacks in which an untrusted non-root program runs sudo itself, edits .bashrc to redirect sudo to something malicious, subverts the (non-root!) terminal in which the user types sudo, etc
IOW, we're solving only one tiny special case of a broad problem, and it's more annoying than helpful.
--Andy