Initial draft of privilege escalation policy

Stephen John Smoogen smooge at
Wed Jan 20 03:24:33 UTC 2010

On Tue, Jan 19, 2010 at 8:15 PM, Adam Williamson <awilliam at> wrote:

Looks good. I added/asked about one thing.

> * Add, remove, upgrade or downgrade any system-wide application or
> shared resource (packaged or otherwise)
> * Read or write directly to or from system memory (with the exception
> that the 'cause to be performed' provision is waived in this case)
> * Load or unload kernel modules (with the exception of automatic loading
> of appropriate modules for hotplugged hardware, managed via the
> module-init-tools system)
> * Start or stop system daemons
> * Edit system-wide configuration files
> * Access other users home directories (unless explicitly granted
> permission by another user)

* Access files normally denied by Discretionary Access Controls (eg if
the file is 0600, 0660 and not owned by the user (and he is not in the
group of the file), he should not be able to see it, write to it,

> * Change any configuration of any other user's account, or view any
> other user's password (with the provision that authentication as the
> user in question, rather than root, would suffice in this case)
> * Add or remove user accounts
> * Change the system clock
> * Shutdown or reboot the system (unless they are the only user logged
> in, and they are logged in locally)
> * Read from system logs containing any information about user activities
> * Write to system logs (with the exception that the 'cause to be
> performed' provision is waived in this case)
> * Write a file anywhere other than their home directory, /tmp, /var/tmp
> or /usr/tmp (with the exceptions that the 'cause to be performed'
> provision is waived in this case, and authentication as another user is
> sufficient for writing to that user's home directory)

/usr/tmp should be a symbolic link to /var/tmp on default systems.

> * Load or modify PolicyKit or SELinux policies
> * Change SELinux enforcement levels
> * Change or disable firewall settings
> * Run an application that listens on a network port lower than 1024
> * Mount or unmount anything (excluding automounted hotplugged storage
> devices, and devices explicitly configured by the root user for
> unprivileged use)
> The term 'system-wide' means that the resource in question would be used
> by any other user or system process.
> --

Stephen J Smoogen.

Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning

More information about the test mailing list