Initial draft of privilege escalation policy
drago01
drago01 at gmail.com
Fri Jan 22 08:38:37 UTC 2010
On Fri, Jan 22, 2010 at 12:16 AM, Adam Williamson <awilliam at redhat.com> wrote:
> On Wed, 2010-01-20 at 19:40 +0100, drago01 wrote:
>> On Wed, Jan 20, 2010 at 4:15 AM, Adam Williamson <awilliam at redhat.com>
>> wrote:
>> > Hi, everyone. As you may know if you've followed the meetings, FESCo
>> has
>> > cheerfully punted the privilege escalation policy issue back to us;
>> they
>> > want us to come up with a draft policy to take back to a FESCo
>> meeting.
>>
>> > * Run an application that listens on a network port lower than 1024
>> > * Mount or unmount anything (excluding automounted hotplugged
>> storage
>> > devices, and devices explicitly configured by the root user for
>> > unprivileged use)
>>
>> Define "anything" what about fuse mounts? (like sshfs, or those done
>> by gvfs)
>
> Hmm. Should it perhaps talk instead about mounting anything outside of
> the user's own home directory?
Yes that would cover this cases; but one should not be allowed to
mount devices like internal storage without being root.
More information about the test
mailing list