Initial draft of privilege escalation policy
Kevin Fenzi
kevin at scrye.com
Fri Jan 22 05:22:38 UTC 2010
On Thu, 21 Jan 2010 15:17:54 -0800
Adam Williamson <awilliam at redhat.com> wrote:
> Here's a second draft, addressing several (not yet all) of the
> concerns raised about the first.
A few general comments:
- Might be nice to number/letter/enumerate the items... so you can
point to specific parts without excessive quoting.
- Is it worth noting ConsoleKit/udev rules here that would give privs
to local users that remote ones don't get?
- Is it worth noting console users vs remote vs admin user types?
- Is dbus security worth mentioning? system vs session and what users
should be allowed, etc?
> Privilege Escalation Policy (draft)
...snip...
> == Enforcement ==
>
> The [[QA]] team will check packages known to be capable of privilege
> escalation for their compliance with this policy, both through manual
> examination and automated testing via the AutoQA project.
Would it be worth having some kind of automated script that can find
packages that might need scrutiny? ie, anything with suid binaries,
anything with polkit files, anything with consolehelper
Sort of a critical path of security apps?
Looks like ubuntu has a pretty bare/skeleton policy at:
https://wiki.ubuntu.com/SecurityPolicy
A few things there might be worth adding here.
Anyhow, thanks for taking on this task!
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/test/attachments/20100121/81285ffc/attachment.bin
More information about the test
mailing list