Initial draft of privilege escalation policy

Adam Williamson awilliam at redhat.com
Fri Jan 22 18:18:49 UTC 2010 

On Thu, 2010-01-21 at 22:22 -0700, Kevin Fenzi wrote:
> On Thu, 21 Jan 2010 15:17:54 -0800
> Adam Williamson <awilliam at redhat.com> wrote:
> 
> > Here's a second draft, addressing several (not yet all) of the
> > concerns raised about the first.
> 
> A few general comments: 
> 
> - Might be nice to number/letter/enumerate the items... so you can
>   point to specific parts without excessive quoting. 

The problem then is you're stuck with the ordering for evermore, as
people expect that the numbers should never change. So you can't realize
that you actually wanted to stick in another rule between 3 and 4. At
least, not unless you call it 3.5 :)

> - Is it worth noting ConsoleKit/udev rules here that would give privs
>   to local users that remote ones don't get?
> 
> - Is it worth noting console users vs remote vs admin user types?

I was reluctant to do this, as during the PackageKit kerfuffle it became
fairly clear that this isn't a distinction it's safe to rely on; there
are mechanisms by which remote users can quite easily appear as local
users. As long as that's the case I'm not sure we should draw this kind
of distinction.

> - Is dbus security worth mentioning? system vs session and what users
>   should be allowed, etc?

Er, details? :)

> > The [[QA]] team will check packages known to be capable of privilege
> > escalation for their compliance with this policy, both through
> manual
> > examination and automated testing via the AutoQA project.
> 
> Would it be worth having some kind of automated script that can find
> packages that might need scrutiny? ie, anything with suid binaries,
> anything with polkit files, anything with consolehelper
> 
> Sort of a critical path of security apps?

Yes, we've already been planning exactly this.

> Looks like ubuntu has a pretty bare/skeleton policy at: 
> https://wiki.ubuntu.com/SecurityPolicy
> A few things there might be worth adding here. 

Damn, the *one* I didn't check (I checked Debian, SUSE and Gentoo) -
you're usually safe if you figure anything useful in Ubuntu is in Debian
too. Sigh...thanks!
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net

More information about the test mailing list