Local users get to play root?
Seth Vidal
skvidal at fedoraproject.org
Wed Nov 18 18:20:56 UTC 2009
On Wed, 18 Nov 2009, Konstantin Ryabitsev wrote:
> 2009/11/18 Jon Ciesla <limb at jcomserv.net>:
>>> A local user is allowed to install software on the machine without being
>>> prompted for the root password.
>>>
>>> This is a recipe for disaster in my opinion.
>>>
>> So much for granting shell access on my servers. . .
>
> I may be wrong, but I understand that this behaviour of PackageKit
> only applies to users with direct console access (i.e. not remote
> shells). So, only users that are logged in via GDM or TTY would be
> able to perform such tasks.
>
> This significantly limits the number of users with powers to install
> signed software -- almost to the point of where it sounds like a fair
> trade-off. If someone has physical access to the machine, then heck --
> it's not like they don't already effectively "own" it.
>
> Not saying it's a good default policy -- but let's cool our heads.
might be worth testing that feature with pkcon from an ssh terminal. I've
not done that yet but I think it would be worth checking out.
-sv
More information about the devel
mailing list