Local users get to play root?
Eric Christensen
eric at christensenplace.us
Thu Nov 19 00:52:06 UTC 2009
On Wed, 2009-11-18 at 15:43 -0900, Jeff Spaleta wrote:
> On Wed, Nov 18, 2009 at 3:35 PM, Eric Christensen
> <eric at christensenplace.us> wrote:
> > PackageKit is something right there on the desktop that, to its credit,
> > needs little knowledge to use whereas many of your attack vectors noted
> > above are generally fixed in my shop by use of a kickstart and securing
> > the box from physical access and require a higher skill to perform.
>
> So can't you harden this with a kickstart file line like you do in
> your other hardening steps in your shop? I think to point Bill is
> trying to make is that there are of a number of other settings that
> need to be hardened and that this choice is just one of many choices
> associated with security associated with a console user. Console user
> security is already a leaky ship and PK is just one more hole.
>
> -jef
>
Maybe. I mean removing (or not installing) PK is a snap with kickstart.
I haven't visited my kickstart in a while so... :)
I guess the big thing, to me, is that this vulnerability wasn't
presented, documented, or talked about and it is the opposite policy to
what most (all?) SYSADMINS would expect. If you don't know to fix it
then you are pwned. Most of the hardening guides that I've read or have
contributed to assumed that the operating system wouldn't allow this
kind of behavior by default and thus doesn't really address it. I know
the hardening guide for RHEL from the NSA talks about setting up sudo
and how to use it but doesn't talk about securing pup, IIRC.
--Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20091118/ca610c0b/attachment.bin
More information about the devel
mailing list