default user context on fedorapeople.org
Konstantin Ryabitsev
icon at fedoraproject.org
Tue Mar 27 21:43:47 UTC 2012
On Tue, 2012-03-27 at 17:35 -0400, seth vidal wrote:
> Except it is more or less where we are now.
>
> ie: user can run stuff but they cannot put any exec or suid files in
> any place they can write.
>
> The debate is not about whether or not to enable this - it is about
> whether we need to allow network connections at all.
>
> Allowing irc out or ssh tunnels is not significant more safety
> over just allowing general network communication, afaict.
It's not quite like that. E.g. if we do fedora_u with irc_role(), then
the person would be allowed to execute a binary labelled with
irc_exec_t, which would then be allowed to connect to IRC ports. Without
executing that binary, the user would not be able to connect to IRC
ports, so no ssh-forwarding or just "telnet 6667".
Let me verify this in my VM, though, before I'm forced to insert my foot
into my mouth. :)
Best,
--
Konstantin Ryabitsev
Systems Administrator, Kernel.org
Montréal, Québec
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20120327/4dea43a2/attachment.sig>
More information about the infrastructure
mailing list