Initial draft of privilege escalation policy
beland at alum.mit.edu
Wed Jan 27 02:22:18 UTC 2010
On Mon, 2010-01-25 at 21:55 -0800, Adam Williamson wrote:
> This seems quite tricky to formulate to me; I can certainly see all
> sorts of legitimate scenarios for remote access to such devices which
> you wouldn't want to do as root. I'm not sure if we can really include
> this as-is.
Certainly; for example, I'll probably be setting up a Linux box to use
as a sound server for the house.
I guess there are two distinct issues - whether or not remote users
can access local hardware, and whether or not users can intercept data
going to or from other users and their software or hardware services.
To address the second issue directly, I might say something like the
following as a general policy:
Information in the system created by or intended for other users
should not be accessible unless:
* A user has been authenticated as a superuser
* The system administrator has configured a resource to be shared
* The other user has explicitly configured the resource to be shared or
is explicitly communicating with the first user
This requires that by default, software and hardware services such as
displays, the desktop, sound, cameras, network ports, printers,
scanners, filesystems, and input devices should not "leak" information
to other unauthenticated local users.
Whether or not webcams, microphones, and other equipment that might be
abused by remote users are "owned" by someone logged in from a local
seat or some attempt is made at blocking remote users' access or at
warning local users...those seem like questions which might be beyond
the scope of this document? If that's the case, is there somewhere in
particular to refer this to or which has already taken care of it?
More information about the test