Local users get to play root?
Simo Sorce
ssorce at redhat.com
Thu Nov 19 15:37:42 UTC 2009
On Wed, 2009-11-18 at 20:20 -0600, Mike McGrath wrote:
> On Wed, 18 Nov 2009, Jeff Garzik wrote:
>
> > On 11/18/2009 07:45 PM, Mike McGrath wrote:
> > > Stick with the facts, be clear about what you're
> > > trying to accomplish (changing it back in F13? Changing it back in F12?
> > > Setting a policy so stuff like this doesn't happen again?)
> >
> >
> > 1) We should recognize this new policy departs from decades of Unix and Linux
> > sysadmin experience.
> >
> > 2) F12 policy should be reverted to F11, ASAP. Possibly with a CVE.
> >
> > 3) Due to #1, F13+ should not deviate from the decades-old default.
> >
> > 4) Release notes should explain new [and after step #2, optional] policy in
> > detail, including how to turn it off again. Seth's laudable write-up efforts
> > should not have been necessary -- that info should be prepared.
> >
> > 5) The people who want this new security policy should add an opt-in checkbox
> > in Anaconda or firstboot.
> >
>
>
> Does anyone disagree with anything in 1-5? It all sounds reasonable to
> me?
Agree 100% with 1-4 although I would find 5 optional if PackageKit can
have back the checkbox it has in F-11 to ask the user if it wants to let
it "remember" the authorization. If that's not possible then either 5 or
a control panel entry that let's you easily set the policy for a group,
so that the system administrator can choose which users will have this
privilege by adding them to a group.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the devel
mailing list