Initial draft of privilege escalation policy

Adam Williamson awilliam at redhat.com
Wed Jan 20 18:00:10 UTC 2010


On Wed, 2010-01-20 at 09:09 -0500, Matthias Clasen wrote:

> > The policy requires that any code which allows a user to perform, or
> > cause to be performed, certain actions must require authentication
> as
> > the root user prior to the action being carried out. The actions
> are:
> 
> This does not seem right. While we want a standard, unprivileged user
> to
> not be able to do these things, we very much want to define an
> 'Administrator' role that can be assigned to users other than root and
> that will enable them to do many of these things by just
> authenticating
> as themselves, not as root. 

> The policy should be worded in a way that makes it clear that this is
> allowed.

(apologies for the erratic line wrapping, seems to be a bug in Rawhide
evolution).

Right, spot had a little note to that effect in the blog post, I forgot
to reproduce it in the policy. Will update.

> > * Add, remove, upgrade or downgrade any system-wide application or
> > shared resource (packaged or otherwise)
> 
> I don't see how a Fedora policy can apply to non-packaged resources;
> other than the fact that those resources will be subject to normal
> access control (e.g. file permissions).

The envisaged situation is a *packaged* application which is built in
such a way that it would allow an unprivileged user to cause a binary to
be stuck in /usr/bin , or a library in /usr/lib , or whatever - whether
that is by the installation of another Fedora package, or just by the
application going out and downloading it and dumping it there itself.

> > * Read or write directly to or from system memory (with the
> exception
> > that the 'cause to be performed' provision is waived in this case)
> 
> This seems entirely too vague to make sense. What does 'system memory'
> mean here ?

Actually I sort of agree. :) Spot, are you reading? Can you clarify?
This came straight from spot's post.

> > * Start or stop system daemons
> 
> With the exception of daemons that are autostarted D-Bus system bus
> services...

Will add.

> > * Edit system-wide configuration files
> 
> Seems clear enough on the face of it, but is /etc/passwd a system-wide
> configuration file ? Users do edit that by changing e.g. their
> password.

Well, see the definition of 'system-wide' further down. This particular
use would be excepted because it doesn't affect any other user.

> > * Write to system logs (with the exception that the 'cause to be
> > performed' provision is waived in this case)
> 
> Huh ? The mere fact of me logging in will cause system logs to be
> written...

Hence the bit in brackets. It says that the language about 'cause to be
performed' is waived for this case; i.e., this rule only means that
users should not be able to write *directly* to system logs. Performing
actions which cause system processes to write to system logs is of
course fine.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net



More information about the test mailing list