Initial draft of privilege escalation policy
awilliam at redhat.com
Wed Jan 20 18:00:10 UTC 2010
On Wed, 2010-01-20 at 09:09 -0500, Matthias Clasen wrote:
> > The policy requires that any code which allows a user to perform, or
> > cause to be performed, certain actions must require authentication
> > the root user prior to the action being carried out. The actions
> This does not seem right. While we want a standard, unprivileged user
> not be able to do these things, we very much want to define an
> 'Administrator' role that can be assigned to users other than root and
> that will enable them to do many of these things by just
> as themselves, not as root.
> The policy should be worded in a way that makes it clear that this is
(apologies for the erratic line wrapping, seems to be a bug in Rawhide
Right, spot had a little note to that effect in the blog post, I forgot
to reproduce it in the policy. Will update.
> > * Add, remove, upgrade or downgrade any system-wide application or
> > shared resource (packaged or otherwise)
> I don't see how a Fedora policy can apply to non-packaged resources;
> other than the fact that those resources will be subject to normal
> access control (e.g. file permissions).
The envisaged situation is a *packaged* application which is built in
such a way that it would allow an unprivileged user to cause a binary to
be stuck in /usr/bin , or a library in /usr/lib , or whatever - whether
that is by the installation of another Fedora package, or just by the
application going out and downloading it and dumping it there itself.
> > * Read or write directly to or from system memory (with the
> > that the 'cause to be performed' provision is waived in this case)
> This seems entirely too vague to make sense. What does 'system memory'
> mean here ?
Actually I sort of agree. :) Spot, are you reading? Can you clarify?
This came straight from spot's post.
> > * Start or stop system daemons
> With the exception of daemons that are autostarted D-Bus system bus
> > * Edit system-wide configuration files
> Seems clear enough on the face of it, but is /etc/passwd a system-wide
> configuration file ? Users do edit that by changing e.g. their
Well, see the definition of 'system-wide' further down. This particular
use would be excepted because it doesn't affect any other user.
> > * Write to system logs (with the exception that the 'cause to be
> > performed' provision is waived in this case)
> Huh ? The mere fact of me logging in will cause system logs to be
Hence the bit in brackets. It says that the language about 'cause to be
performed' is waived for this case; i.e., this rule only means that
users should not be able to write *directly* to system logs. Performing
actions which cause system processes to write to system logs is of
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
More information about the test