Security testing: need for a security policy, and a security-critical package process

[Adam Williamson]

On Tue, 2009-12-01 at 12:47 -0500, Gene Czarcinski wrote:

> I suspect that most commercial and government customers will be interested in 
> Red Hat Enterprise Linux rather than Fedora.  But, Fedora is the technology 
> base on which future Red Hat Enterprise Linux releases are built.  The better 
> Fedora is, the more confidence customers will have the the Red Hat product.

I agree. What I'm really worried about here, ultimately, is PolicyKit,
and the way it permits a lot more grey areas than have been possible
before. If you look at previous privilege escalation mechanisms, they're
simplistic; whether you're using sudo or consolehelper or whatever,
ultimately you either have a process run as root or as user. And it's
pretty obvious what should run as root and what shouldn't; I don't
remember there being any real serious debates about that, everyone
pretty much reaches the same conclusions independently. The
authentication question is equally simple: basically either the process
just runs as root automatically (which everyone agrees should happen for
as few processes as possible), or you have to authenticate each time -
for Fedora, basically you have to type the root password, since we never
really used sudo.

Things like 'well, we can perform this one specific type of operation
with this one specific type of authentication' just weren't possible.
Now they are, so stuff like the PackageKit issue was bound to start
happening. The things PolicyKit make possible really need some kind of
coherent oversight, I think, and that is indeed something Red Hat
Enterprise Linux will also need to address, so obviously from an RH
perspective, it helps RH if Fedora develops some kind of policy for
this. But I think it's necessary for Fedora anyway, regardless of RH.

-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net