Drawing lessons from fatal SELinux bug #1054350

[Simo Sorce]

On Fri, 2014-01-24 at 14:40 +0100, Reindl Harald wrote:
> Am 24.01.2014 13:56, schrieb Kevin Kofler:
> > Alternatively, the kernel could be patched to give "admin users" (either 
> > defined as members of the "wheel" group as now, or by some additional 
> > property that would be set for the same users by default) some strategic 
> > capabilities such as dac_override. That would also put an end to the endless 
> > annoyance of having to sudo all the time. (And by the way, sudo and 
> > PolicyKit actions should be allowed with no password (rather than the user 
> > password as now) for wheel group members by default.) That way, you still 
> > get the benefits from different accounts, e.g., different preferences per 
> > family member, without the current restrictions imposed to "normal" users.
> > 
> > The endless password prompts make a lot of sense in controlled corporate 
> > environments with dedicated system administrators, but on home machines, 
> > they are just an unnecessary annoyance
> 
> no, they are not, they have the same reason as firefox asks
> for the master-password before display stored passwords even
> after you already entered it to login somewhere
> 
> they prevent that if you are not alone that while you go to
> the toilet and forget to lock your screen unauthorized people
> not doing things nobody wants on the machine

Worse than that, they prevent automated attacks via very vulnerable
applications like browsers. [which of course in Kevin's world are never
run in a SELinux sandbox]

So you if you get some malware to jailbreak out of the browser sandbox
all it needs to do is "sudo pwnme" if there is no password request.

Of course you need to understand at least a smidget of security to avoid
proposing ludicrous 'defaults'.

> what you propose is the Apple way - not on a linux system please

It is just 'the pwn me' way, nothing more, nothing less.

-- 
Simo Sorce * Red Hat, Inc * New York