Draft privilege escalation policy for comments

Adam Williamson awilliam at redhat.com
Mon Feb 1 23:18:47 UTC 2010

On Sat, 2010-01-30 at 10:31 -0500, Colin Walters wrote:
> On Sat, Jan 30, 2010 at 1:20 AM, Adam Williamson <awilliam at redhat.com> wrote:
> >
> > Well, reboot is a one-time operation; if there's only one user logged
> > in, they can only affect themselves by rebooting. Adjusting the clock or
> > installing new software isn't the same.
> Ok, actually "one time" feels like there's a more general principle at
> work here, which is the degree to which the operation could
> potentially affect other users.

As it says in the second paragraph:

"An unprivileged user without administrative authentication must not be
able to change the behavior of the system "as a whole" (as viewed by
other users or by network clients), unless the system behavior is
intended to be dependent on the actions of the unprivileged user."

> For example, there's a pretty wide gulf between "install new desktop
> app" (other users see a new menu entry) and "start or stop system
> daemons" (can easily break printing, networking, or just crash the.
> Changing the system time is in between there.

> The reason I mention this specifically I'd like in the future to widen
> this set a little bit for the "self managed" desktop target (i.e.
> livecd download), specifically include at least "install new desktop
> application from " and "initiate system update" in that set of default
> privileges.

>From the Requirements preamble:

"In the case of an approved Fedora spin which automatically grants
administrative privileges to the first created user account,
authentication as that user can be considered administrative
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org

More information about the devel mailing list