What are these for?
Alan Cox
alan at lxorguk.ukuu.org.uk
Wed Nov 21 15:02:54 UTC 2012
> > Because the syslog interface isn't secure.
>
> How come? Only root can read the logfile.
The logging interface is not secure, it provides a generic path for
anyone to log stuff.
> Well I can't predict the future. What does mcelog actually do to
> prevent hardware problems or to make the system respond to them properly
> --- whatever "properly" means?
It decoders the CPU state dumped by the exception from the kernel in a
human understandable form.
> >> Regular users must not change the system time. It's on UTC and kept on
> >> track with chrony.
> >
> > Well, exactly. That's why you would need extra authentication to change it.
>
> Users are not supposed to change it at all, not even with extra
> authentication.
A user with extra authentication to be gain root is no different to su
> > It wouldn't. In a GUI, polkit has a distinctive, separate dialog box it uses
> > to ask for authentication. It's absolutely true that spoofing this sort of
> > dialog is a concern.
>
> So yes, it decreases security instead of increasing it.
No different. I can equally spoof you a shell window.
> What difference does it make which password is supplied when with the
> password things can be done that are relevant for security? Why should
> I give my password again when I'm already logged in and the system knows
> who I am?
Configure the policy how you like.
> And what if the user in the wheel group wants to use emacs to edit some
> configuration file that can only be modified by root?
They can use su if they want to use emacs for it.
Alan
More information about the users
mailing list