Next privilege escalation policy draft

Adam Williamson awilliam at
Thu Feb 4 23:39:45 UTC 2010

On Thu, 2010-02-04 at 15:14 -0500, Adam Jackson wrote:

> Some nitpicking:
> - "Read or write directly to or from system memory" is, technically,
> something every process does.  "Device or kernel memory" might be closer
> to the spirit of the law?

Yeah, that's one people have said is somewhat amorphous. It's important
to note that I'm using the word 'directly' in the policy to mean 'allow
to user to specifically control the process' - i.e. it's not just about
an application the user is using reading memory, it's more about
(apologies for my 1980s terminology :>) not letting the user PEEK and

> - Declaring "Read from system logs containing any information about user
> activities" to be a privileged action, means that who(1) and last(1)
> break, since utmp and wtmp are typically - intentionally - world
> readable.  /var/log/ConsoleKit/history similarly.  I think this entire
> rule is mostly subsumed under the "directly access or modify a file they
> would usually be denied rights to" clause, though we'd probably also
> want to define what kinds of log information are sensitive and what
> aren't in that case, and enforce world-readability to match.

I don't understand much about utmp and wtmp, but if appropriate they
could be specifically excepted from the policy. Ditto the ConsoleKit
history. What's the rationale for these being world-readable?
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org

More information about the devel mailing list