Initial draft of privilege escalation policy

Chris Adams cmadams at
Wed Jan 20 18:21:33 UTC 2010

Once upon a time, Adam Williamson <awilliam at> said:
> I was being hand-wavy. :) Spot's blog says 'anything in /var/log', which
> isn't a bad definition, I guess. Can you think of anything better?

Users can write to (or cause entries to be appended to) any syslog log
files, since syslog listens on a socket (I don't think there's a way to
limit that).

One thing that jumps out at me about the way the policy is worded is
that it defines what is restricted (what you can't do) instead of what
is allowed (what you can do).  This seems backwards to me; you'll always
be chasing some new thing that somebody implemented (e.g. the PackageKit
change that brought this about) that wasn't previously restricted.

If you define the only things that are allowed (e.g. "change own
password", "admin user install packages" (once "admin user" is defined),
and so on), then anything not explicitly allowed is "bad".  If somebody
wants to implement something new (e.g. PackageKit), they need to get a
policy change approved.

When it comes to security, you want to define what is okay and assume
everything else is not okay; trying to think of all the not-okay things
in advance usually fails.
Chris Adams <cmadams at>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

More information about the test mailing list