On Wed, Nov 18, 2015 at 10:49 AM, Adam Jackson <ajax(a)redhat.com> wrote:
On Tue, 2015-11-17 at 17:30 +0000, Andrew Haley wrote:
> On 11/02/2015 03:05 PM, Adam Jackson wrote:
> > But, why take the risk exposure, when you could simply not?
>
> How else would I edit root-owned files? I don't get it. I mean,
> I guess I could run an editor in a text window, but I don't want to
> do that.
That's kind of a non sequitur. To a first order, there are zero root-
owned files you need to edit routinely. And I feel pretty comfortable
calling any counterexamples bugs that need fixing.
> And finally, it's *my computer*, dammit.
In the threat model being described, no, it is not, there's another
agent on the system subverting your use of it.
You are of course free to disregard that risk, or measure it in the
event and conclude it's safe enough, and in many cases it will in fact
be safe. Great, fine, that's a conclusion a consumer can come to. But
in the Fedora context we are the producer, not the consumer. Developing
an operating system means considering what is best in the general case,
and in the general case, if using the system requires a known-dangerous
configuration, we've done our job poorly.
Phrased another way: no, it's not *your computer* we're talking about
here. The computer in question rightfully belongs to someone else; we
are here discussing how to be responsible for the code they allow us to
run on it.
I don't understand. If a user who has the right to act as root asks
to authorize a program to run as root on their behalf, we should grant
that request. And, once we grant it, we shouldn't be
passive-aggressive and say "sure you can run it, but no graphics for
you!".
Sure, if we want to block attacks in which an untrusted non-root
program subverts the root program, then great! But we should really
start by stopping attacks in which an untrusted non-root program runs
sudo itself, edits .bashrc to redirect sudo to something malicious,
subverts the (non-root!) terminal in which the user types sudo, etc
IOW, we're solving only one tiny special case of a broad problem, and
it's more annoying than helpful.
--Andy