Security policy oversight needed?
Chris Adams
cmadams at hiwaay.net
Thu Nov 19 14:31:08 UTC 2009
Once upon a time, Richard Hughes <hughsient at gmail.com> said:
> If you're not shipping custom PolicyKit rules then at the moment
> normal users can, without authentication:
>
> * Grant high priority scheduling to a user process
I have complained about this.
> * Connection sharing via a protected WiFi network
Only if the NetworkManager daemon is running, right?
> * Suspend the system
Again, on/off don't change system policy.
> * Inhibit media detection
> * Mount a device
The user mounts are locked down (noexec), right?
> * Restart the system
Again, on/off don't change system policy.
> * Get information about system services
Information that has always been available, right?
> * Install debuginfos using abrt
Didn't know about this one; another thing that should be changed by
default.
> * Enroll new fingerprints
That's along the lines of "change their password", which is reasonable
(unless this is giving elevated access to those fingerprints).
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the devel
mailing list