On Sun, Nov 08, 2020 at 12:05:14PM -0800, Dave Stevens wrote:
Matthew Miller <mattdm(a)fedoraproject.org> wrote:
> On Sun, Nov 08, 2020 at 11:13:31AM -0800, Dave Stevens wrote:
> > "The current console user is generally allowed to reboot the
> > system." why?? isn't that a giant security hole? just from
> > mistakes, not to mention malice.
> What is the attack scenario you are envisioning here for this to be a
> security issue?
denial of service?
Turning of your own machine is technically a denial of service, sure. But as
the headline issue here shows, you're prompted for authentication if another
account is logged in. (This is the case for example when user-switching to
share a machine, or when someone is logged in remotely.)
If you do have a system where physical login access is available but the
machine is also acting as a server, and you don't have 100% trust for the
people with that physical access, you should configure the system to be more
locked-down in a variety of ways, including this one.
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader