On Sun, Nov 08, 2020 at 12:05:14PM -0800, Dave Stevens wrote:
Matthew Miller mattdm@fedoraproject.org wrote:
On Sun, Nov 08, 2020 at 11:13:31AM -0800, Dave Stevens wrote:
"The current console user is generally allowed to reboot the system." why?? isn't that a giant security hole? just from mistakes, not to mention malice.
What is the attack scenario you are envisioning here for this to be a security issue?
denial of service?
Turning of your own machine is technically a denial of service, sure. But as the headline issue here shows, you're prompted for authentication if another account is logged in. (This is the case for example when user-switching to share a machine, or when someone is logged in remotely.)
If you do have a system where physical login access is available but the machine is also acting as a server, and you don't have 100% trust for the people with that physical access, you should configure the system to be more locked-down in a variety of ways, including this one.