| |||||||||||||
|
| |||||||||||||
People's reaction to this is just stupid.People's reaction to this is just stupid.Posted Nov 19, 2009 12:24 UTC (Thu) by drag (subscriber, #31333)Parent article: Fedora 12 lets unprivileged users install packages
This thing is starting to piss me off. People's kneejerk reactions are just
so hilariously misplaced here and on slashdot it's just irritating. Could
people possibly think about this for 12 whole seconds before posting?
(Log in to post comments)
People's reaction to this is just stupid. Posted Nov 19, 2009 12:49 UTC (Thu) by Tet (subscriber, #5433) [Link] Local users have physical access to your machine and thus they can trivially override any practical security mechanism you may have on your computerSure, they can override them, but it's not always trivial. On my machines, for example, they'd need to either get past the BIOS password to change the boot order, or physically open the machine up and change the boot disk. Both of which are possible, but not exactly trivial. It's all about the height of the bar. You seem to be claiming that because local access gives you an attack vector, it's fine to drop any additional security that might have been in place. That doesn't make sense to me. A determined attacker will always get in. But it's still worth protecting against the opportunist (and the ignorant). Anyways if your having guest users you should have them use guest accounts Guest accounts that are now capable of installing software without root access? I'm not sure what your point is here.
People's reaction to this is just stupid. Posted Nov 19, 2009 13:27 UTC (Thu) by drag (subscriber, #31333) [Link]
Well guest accounts should not be allowed to have privileged actions.
This is easily configurable, but should be the defaults.
A 'guest account' is one that has no privileges and changes are wiped from
People's reaction to this is just stupid. Posted Nov 19, 2009 13:30 UTC (Thu) by drag (subscriber, #31333) [Link]
"""Sure, they can override them, but it's not always trivial. On my
machines, for example, they'd need to either get past the BIOS password to change the boot order, or physically open the machine up and change the boot disk. Both of which are possible, but not exactly trivial."""
It's a hell of a lot f-ing more trivial to do that then using package kit
"""You seem to be claiming that because local access gives you an attack
That would not make sense if that was what I was saying, but it is not what
People's reaction to this is just stupid. Posted Nov 19, 2009 20:53 UTC (Thu) by kilpatds (subscriber, #29339) [Link] drag wrote:It's a hell of a lot f-ing more trivial to do that then using package kit to install a service or application that runs as root and is locally exploitable. Really? It takes less time to reboot my laptop and crack the HD password (full disk encryption) that it does to install a new package and break it? Perhaps the disk encryption people should fix that...
People's reaction to this is just stupid. Posted Nov 19, 2009 23:02 UTC (Thu) by drag (subscriber, #31333) [Link]
What distro ships with encrypted drives as the default?
What computer ships with a bios password as a default?
If you take steps to secure your stuff then that does not enter into this
A configuration, btw, that is trivially easy to change.
People's reaction to this is just stupid. Posted Nov 20, 2009 1:10 UTC (Fri) by kilpatds (subscriber, #29339) [Link] drag wrote:What distro ships with encrypted drives as the default? FC11. At least it was so easy to do during the install it might as well have. So, I needed to know darn little to set that up. Certainly less than I need to know to turn this off.
People's reaction to this is just stupid. Posted Nov 19, 2009 13:00 UTC (Thu) by hppnq (subscriber, #14462) [Link] The local users discussed here are the completely random "people" who you should assume are roaming around on your system, and who can now trigger something that previously required root privileges.Yes, this is then only one of many bad things, and not even the worst thing, that can happen to you. That's no reason to allow everyone and his dog to install software on your system. Yes, there are many things wrong with the superuser security model. But clearly the solution is not to bypass this model. At least not until you have solved the problem that package management might actually require root privileges (reboot, device configuration, etc.) and you have solved the rather obvious security problem of running software that may not have been installed by you or someone you trust.
People's reaction to this is just stupid. Posted Nov 19, 2009 13:40 UTC (Thu) by drag (subscriber, #31333) [Link] """The local users discussed here are the completely random "people" who you should assume are roaming around on your system, and who can now trigger something that previously required root privileges."""If you leave your system unlocked and let random strangers have physical access to it then you have bigger issues then packagekit. """Yes, this is then only one of many bad things, and not even the worst thing, that can happen to you. That's no reason to allow everyone and his dog to install software on your system.""" Only people that are logged in locally have this ability. And it's easily configurable. """Yes, there are many things wrong with the superuser security model. But clearly the solution is not to bypass this model.""" Yes it is. Giving users the ability to run code with root privileges under their account is clearly undesirable and any system that allows you to avoid this is desirable. """At least not until you have solved the problem that package management might actually require root privileges (reboot, device configuration, etc.)""" The goal of all of this is to make a Desktop-oriented operating system were normal user activity can be carried out in a safe and secure manner in a user-friendly manner. Device configuration on Fedora is carried out without user intervention as much as is possible. Rebooting can be done by a local account without invoking sudo or su and is configurable. I don't know what 'etc' is going to cover, but I bet that Fedora also has that taken care of. Updating and installing software is a everyday mundane event. Especially when it comes to performing system updates it's very very desirable to have this happen with as little barriers as possible. Having insecure older versions of software running on a Linux desktop when more secure newer versions are available is a serious threat to the security of the average user's system. """ and you have solved the rather obvious security problem of running software that may not have been installed by you or someone you trust.'"" If you let unknown or untrusted people log in with your credientials on your system and/or let them have full physical and unmonitored access (all of which is necessary in Fedora 12 to install software without your knowledge) to your systems you have much bigger issues then worrying about somebody installing software that may run as root with a local root exploit.
People's reaction to this is just stupid. Posted Nov 19, 2009 14:09 UTC (Thu) by ledow (guest, #11753) [Link]
"If you leave your system unlocked and let random strangers have physical access to it then you have bigger issues then packagekit."
Schools. Colleges. Universities. Cybercafes. Businesses. Yes, even home users with kids.
Local users may not have physical access to *anything* except for the keyboard and the screen, but they are still users and still have to be allowed to *touch* the computer, even if you need to keep it locked down. You can prevent them accessing the hard drive directly, or the external ports, but you can't stop them typing on a keyboard... otherwise 99% of the world's computers are damn useless.
And this "feature" gives all of them the ability to install crap. If nothing else, that's a DoS because they could just install *every* signed bit of crap in the world.
"And it's easily configurable."
And on by default. And next-to-nobody knew about it. I don't give a damn what the option is, if there's even a *REMOTE* chance it would be something I object to, I don't want it on by default without some massive announcement.
"Giving users the ability to run code with root privileges under their account is clearly undesirable and any system that allows you to avoid this is desirable."
Again, technically "nice", practically, a nightmare. And it's the default nature that's the problem, not the feature. Home user or not, it's a silly idea to allow execution of *anything* (even signed code, which will inevitably have a flaw found in it at some point... look at any videogame console "hack") as anything other than the user that executed it, especially if it's done automatically without requiring an admin password. Windows won't let you do that (at least not by design), MacOS won't let you do that, why should Fedora be any different?
"The goal of all of this is to make a Desktop-oriented operating system were normal user activity can be carried out in a safe and secure manner in a user-friendly manner."
Yep. And even MS Windows says "This installer needs to be run as an administrator" most of the time. "runas" is your friend as a Windows admin installing software for users. There's reasons for that, signed code or not.
"Updating and installing software is a everyday mundane event."
So let's not trivialise it by making people think it is somehow "special" and has to be done automatically all the time for you because you're too stupid to type in an admin password when serious changes are made. Hell... just "memorising" the admin password on the basis of an option box the first time it's needed is more "secure" than doing this silently. And, in fact, updating and installing software is, was and always has been something more than "mundane" in terms of security.
"Especially when it comes to performing system updates it's very very desirable to have this happen with as little barriers as possible."
Agreed. But even Windows (usually) refuses to let you do stupid things with updates without asking for the admin password first, or until you log in as an admin.
"Having insecure older versions of software running on a Linux desktop when more secure newer versions are available is a serious threat to the security of the average user's system."
Totally agreed. But that's no different for any other operating system. And still Windows whinges if I try to install an MSI as a non-admin user when that MSI has to do *anything* remotely fancy.
People's reaction to this is just stupid. Posted Nov 19, 2009 14:31 UTC (Thu) by drag (subscriber, #31333) [Link] """Schools. Colleges. Universities. Cybercafes. Businesses. Yes, even home users with kids."""If you let any desktop OS be used by anonymous people directly using the default configuration your a idiot. I don't care what OS your using. This causes problems on any system, including older versions of Fedora. Debian, Ubuntu or any thing like that. Nothing with Fedora 12's packagekit default policy changes this fact. """Local users may not have physical access to *anything* except for the keyboard and the screen, but they are still users and still have to be allowed to *touch* the computer, even if you need to keep it locked down. You can prevent them accessing the hard drive directly, or the external ports, but you can't stop them typing on a keyboard... otherwise 99% of the world's computers are damn useless.""" Yes 'locked down'. Like 'kiosk mode', right? As in 'not default configuration'. I am never, ever, going to take any OS and let people use it in public without taking steps to lock it down against them. This sort of thing is extremely difficult to get right in pretty much every OS. And anyways in systems like Ubuntu (and Fedora, I believe) the default is to let people have unfettered access to root account if they just supply them the user's password. This Fedora 12 packagekit policy change is still a MASSIVE improvement over the status quo. The only people that got this right before was Debian and that was because sudo was not configured by default, but they still screw it up by requiring the use of 'su' to do mundane desktop activities. """And this "feature" gives all of them the ability to install crap. If nothing else, that's a DoS because they could just install *every* signed bit of crap in the world.""" They can DOS the system a hundred different ways if they have physical access, even through just a keyboard. Anyways, what is stopping them from downloading and running any piece of code on the planet and executing it from their local account? NOTHING. And whats more they have the ability to download and execute any program for any purpose and you have no way of knowing if it's safe or violates the security of your user account or anything like that. With packagekit you at least know that it's a signed binary. """ "And it's easily configurable." And on by default. And next-to-nobody knew about it. I don't give a damn what the option is, if there's even a *REMOTE* chance it would be something I object to, I don't want it on by default without some massive announcement. """ Yes they should of advertised it. This was a big mistake to let this go out without a announcement. Dumb mistake. They should of advertised it as a feature during beta, at the very least. What I think Fedora should do now is introduce a new 'admin' password that is different and separate from your root password and your user password. This will address most of the issues people like you have brought up and still keep most of the positive benefits. Keep in mind some facts here: THE NUMBER ONE PROBLEM is insecure passwords in Linux desktops. People will likely make more secure passwords if they don't have to use them all the time. If you require them to use their password for all mundane events then they will very quickly ignore security notifications and all security considerations. Either they will default to using weak passwords or they will not carry out regular system updates. Making it as easy as possible to use secure passwords and perform system updates is PRIORITY #1. If this causes problems in other areas then this is a bad side effect, but still desirable.
People's reaction to this is just stupid. Posted Nov 19, 2009 14:50 UTC (Thu) by drag (subscriber, #31333) [Link]
Yes... Now that I think about it you should have a admin 'role' or group
that a user must belong to in order to have the default set of mundane desktop administrative tasks.
Things like 'mount removable media', 'reboot', 'update software' and a few
Then let the initial account created during installation belong to this
Then the first time that a user performs a mundane privilege then it should
Something like that.
admin role/group Posted Nov 19, 2009 18:13 UTC (Thu) by rfunk (subscriber, #4054) [Link]
Minus the last paragraph, you just discovered Ubuntu's model. Which is
derived from the older "wheel" model someone else mentioned.
admin role/group Posted Nov 19, 2009 19:41 UTC (Thu) by drag (subscriber, #31333) [Link] Ubuntu's model is to give unfettered access to root if you are able to supply the user's password. Which is exactly the sort of thing I want distros to avoid completely.It's acceptable in a single user environment, which is typical, but it's completely counter productive for most other environments. You should not be required to have root access to perform mundane and routine actions.
People's reaction to this is just stupid. Posted Nov 19, 2009 20:49 UTC (Thu) by sjm (guest, #62085) [Link]
"And anyways in systems like Ubuntu (and Fedora, I believe) the default is to let people have unfettered access to root account if they just supply them the user's password."
I think in Ubuntu this is true only of the first user created (automatically added to sudo file), but not true for other users.
People's reaction to this is just stupid. Posted Nov 20, 2009 0:39 UTC (Fri) by drag (subscriber, #31333) [Link]
Yeah. I now think that automatically giving all local users the ability to
install signed packages is probably a bad idea.
It should only be on automatically for the first user created during
People's reaction to this is just stupid. Posted Nov 20, 2009 17:51 UTC (Fri) by ariveira (guest, #57833) [Link]
First user is added to admin group; that admin group is the
one that has access granted by sudoers.
People's reaction to this is just stupid. Posted Nov 19, 2009 14:56 UTC (Thu) by lkundrak (subscriber, #43452) [Link]
Very well written, drag. Thank you!
People's reaction to this is just stupid. Posted Nov 19, 2009 16:14 UTC (Thu) by bfields (subscriber, #19510) [Link]
"Local users have physical access to your machine and thus they can trivially override any practical security mechanism you may have on your computer."
Not to disagree with the gist of your comment, but: aren't you imagining the wrong threat here?
Malicious local users are rarer than users that can be tricked into subverting the security of the system unintentionally; a more likely threat is from a web page or email message that claims to give users something they want (a game, a faster computer, whatever), if they follow certain instructions.
I suspect that trick is more likely to be successful if it consists of a few commands the user and cut-and-paste, than if it requires them to (for example) boot from a custom boot disk.
People's reaction to this is just stupid. Posted Nov 19, 2009 17:15 UTC (Thu) by drag (subscriber, #31333) [Link] """ Malicious local users are rarer than users that can be tricked into subverting the security of the system unintentionally; a more likely threat is from a web page or email message that claims to give users something they want (a game, a faster computer, whatever), if they follow certain instructions."""This policy change only allows them to install signed packages from Fedora's repositories. It won't allow them to download a random rpm package or anything like that and allow them to install it. They would have to gain root privileges in order to do that even with Fedora 12's policy change. (on a side note: they can install and execute any program on any system without root privileges as long as they install it to their home directory regardless of anything to do with anything. So this is something that Linux will have to improve on..) So for your hack to work the attacker would have to trick Fedora into signing and adding their malicious software to their repository first, then trick the user to installing it through packagekit. This is certainly within the realm of possibility, but it's already a real threat prior to F12 and for other distros. Regardless of the mechanism your using to allow users to install software (sudo, su, etc) they will know how to do it if they know how to use their desktop, right? After all installing software is a normal event. So a attacker using social engineering to run a script using 'sudo' or adding a password to a rpm is not really a sufficient barrier from social engineering being effective. Whats worse is that if you condition the user to continuously give up their user or root password for lots and lots of different reasons then they will quickly assume that this is the normal state of affairs and simply ignore the security implications of giving out the password in the future, and be conditioned to using shitty passwords since long passwords are a huge PITA. See what happens with Window's UAC when it prompts passwords for every little thing, or the type of things that people tell other people to do in Ubuntu's forums. Once it becomes a normal sight then it loses it's effectiveness.
People's reaction to this is just stupid. Posted Nov 19, 2009 18:21 UTC (Thu) by nix (subscriber, #2304) [Link]
The attack vector is obvious.
A local root hole is found in an obscure piece of software packaged by Fedora (perhaps one that, in violation of Fedora policy, runs a daemon on installations; perhaps one with a nasty bug in its installation scripts). The package is obscure, so fixing it takes a relatively low priority. This could be *any* such package: the only real constraint is that it should be obscure enough that most Fedora systems don't have it installed (and there are thousands of such packages). If the package is obscure, it's likely that it doesn't get audited much, so blackhats may very well know of holes in such packages that whitehats don't: so the window here may be very wide indeed. (In current Fedora, this is pretty unimportant, as the package is rarely installed so few people are vulnerable.)
An arbitrary code execution vulnerability is found in Firefox or one of the libraries it uses. These often take a while to fix because FF is a monstrous pig and because of the Mozilla trademark policy requiring signoff (IIRC Fedora has Firefox, not a renamed package).
Now an attacker can exploit the latter vulnerability (probably served via an ad server's rotation on a totally innocent webpage) and then use the former to get root with high probability, probably almost undetectably.
Not good.
(Note: I'm not any sort of security specialist. If *I* can generate this scenario with a few seconds' thought, actual malicious attackers surely can.)
People's reaction to this is just stupid. Posted Nov 19, 2009 20:03 UTC (Thu) by drag (subscriber, #31333) [Link] If a attacker gains access to your local account then they can execute arbitrary code in your user's account and end up doing pretty much whatever then wnt. So, yes, if they can (for example) inject a command in your bashrc script that will command packagekit to install a package. Then if they find a vulnerable package that installs and automatically launches a vulnerable service that runs as root then the attacker could use that to gain root access.Yes, that is certainly a possibility. However.... Here is another potential attack. Imagine your attacking a typical Linux desktop user that has sudo configured to do things like mounting drives or configuring the network or updating their software. Your trying to attack a system like that and you've managed to gain access to their account through something like a vulnerability in the flash plugin. All you have to do is just stick a job into the user's account to run 'if sudo ls > /dev/null; then sudo ~/.run_rootkit;done' every few seconds or so. I'd say that over a period of a day or two the user would of certainly done 'sudo ifconfig' or 'sudo apt-get update' or some such thing. Thus giving the attacker unlimited access to the root account. Of course attackers would probably just go for the most generic attack and install a keylogger or something. ---------------------- Like I said before having a 'admin' password separate from root and the user password is probably a good idea. Maybe not, I don't know. It would certainly address most concerns coming from most people. ----------------- I think that the current #1 threat to Linux systems is users setting up OpenSSH access with weak passwords and attackers guessing those passwords through brute force. Think about that in conjunction with 'sudo'. :)
People's reaction to this is just stupid. Posted Nov 19, 2009 21:17 UTC (Thu) by nix (subscriber, #2304) [Link]
Your assumption that the ability to run 'sudo yum update' implies the
ability to run 'sudo ls' or 'sudo sh' is incorrect. (Just because Ubuntu sets it up that way doesn't mean it's the only way, or even a particularly good one.)
At least sudo can be configured to ask you for a password (at intervals or
In any case, the existence of one security hole isn't a reason to allow
People's reaction to this is just stupid. Posted Nov 19, 2009 23:17 UTC (Thu) by drag (subscriber, #31333) [Link] """ Your assumption that the ability to run 'sudo yum update' implies the ability to run 'sudo ls' or 'sudo sh' is incorrect. (Just because Ubuntu sets it up that way doesn't mean it's the only way, or even a particularly good one.) """My assumption is based on the reality of what is a seems to be a acceptable default configuration for distros. The 'status quo', so to say. If you can lock down sudo then I can change whatever I want with package kit and it is impossible to make a good comparison. """ At least sudo can be configured to ask you for a password (at intervals or every time), and as it's setuid it's relatively hard for an attacker running as the user to spy on the user's keystrokes as he types it in. So elevation to the user does not necessarily mean you can get to root that way.""" Yes. The usual default configuration is to allow sudo access by prompting for a password. This is what I am talking about. And it allows you to re-run sudo without a password for a period of time. My example exploit depends on this behavior. If you run sudo from one console then that gives unlimited root access to any sudo command without prompting for a password for a period of time for every instance of that user's account. Of course this is configurable, but remember the dispute is about default configurations. I am not sure how it is with Fedora, but people don't seem to have a problem with Ubuntu and I think it's the same. """ In any case, the existence of one security hole isn't a reason to allow another one to continue to exist! """ Sure... But you have to realize that the use of things like packagekit and policykit is to eliminate the need for things like sudo for typical desktop activities. I am of the opinion that a desktop that does not require running root code under a user's account as a part of normal everyday activities is superior to one that does. I am looking forward to the day that a user is able to perform every common function on the desktop without requiring root access or running root code under their account and this is a big step in that direction. No distro should ship with sudo enabled for anything! Sudo and su should be reserved for administrators and experts. Expecting normal users to be able to use these things safely is asking too much. And using gtksudo (and similar things) to run GUI applications entirely as root under your account is a huge security hole in itself. Probably the thing should ask for a admin password or something like that, but I think that asking for a user's password is security theater and asking for a root password is just a plain bad idea.
People's reaction to this is just stupid. Posted Nov 20, 2009 2:29 UTC (Fri) by khc (subscriber, #45209) [Link] If you run sudo from one console then that gives unlimited root access to any sudo command without prompting for a password for a period of time for every instance of that user's account.That is not true (at least by default) in ubuntu. If I give sudo password in one terminal, running it again *in another terminal* requires me to enter the password again.
People's reaction to this is just stupid. Posted Nov 20, 2009 2:36 UTC (Fri) by foom (subscriber, #14868) [Link]
That does nothing for security, however. There is no security barrier between two terminals running
as the same UID: The second terminal is just a ptrace() away from making the first terminal run sudo for it...
People's reaction to this is just stupid. Posted Nov 20, 2009 12:26 UTC (Fri) by hppnq (subscriber, #14462) [Link] You can't ptrace() sudo, and you can't run sudo with suid if the parent is traced. It is not that stupid. ;-)(Obviously, if you have a terminal you have other ways to snoop passwords.)
People's reaction to this is just stupid. Posted Nov 19, 2009 18:45 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
but something they install in their home directory will not be setuid root
something that the package manager installs may be.
People's reaction to this is just stupid. Posted Nov 19, 2009 23:40 UTC (Thu) by drag (subscriber, #31333) [Link]
Sure.
Having setuid root binaries is a security problem themselves, period, and
People's reaction to this is just stupid. Posted Nov 20, 2009 0:44 UTC (Fri) by gmaxwell (subscriber, #30048) [Link]
At least suid is trivially auditable (find!) and there is decades of established practices, policy, and procedures in dealing with it. I can walk into any library or bookstore and find books on securing systems that cover the subject of SUID binaries and that knowledge and experience is generally portable, not just to all GNU/Linux distributions but across unixes in general.
Eliminating SUID by replacing it with controls buried in a windows-registry like database isn't necessarily an improvement.
People's reaction to this is just stupid. Posted Nov 20, 2009 1:21 UTC (Fri) by drag (subscriber, #31333) [Link] Eliminating SUID by replacing it with controls buried in a windows- registry like database isn't necessarily an improvement.Not always, of course. But I think in the case of policykit and the other *kits it is. This is simply because it should be unnecessary to perform normal desktop operations without resorting to running privileged code under a user's account. These things eliminate that for common cases. I don't think that sudo/su should be eliminated for everything. It should be reserved as a administrative tool and users should only be required to be prompted for the root password or run root code under their account in special cases. I think that in the cases of installing/updating software is such a mundane and everyday event that invoking root password or running code as root is diminishing the security of the typical desktop scenario when a alternative exists. Now for managed desktops then that sort of activity should be forbidden, which is easy enough to accomplish through packagekit/policykit. (also I don't consider storing policy as XML files in directories to be anything like what the negative things the windows registry does...) I do think that having this default spread to _all_ user accounts by default is a bad idea, though.
People's reaction to this is just stupid. Posted Nov 19, 2009 19:16 UTC (Thu) by clugstj (subscriber, #4020) [Link]
"This thing is starting to piss me off."
Well, that could be because you are WRONG and too proud to admit it (even to yourself). Take some time to cool down and then read the posts here and in the Fedora bug and entertain the possibility that everyone who disagrees with you is not necessarily an idiot.
People's reaction to this is just stupid. Posted Nov 19, 2009 23:53 UTC (Thu) by drag (subscriber, #31333) [Link] Of course I could be wrong. I am frequently wrong about a lot of things. Nothing surprises me.But the discussion is irritating because most of the initial responses were blatantly incorrect in a large amounts of their assumptions and made discussing the thing almost impossible. They didn't even take time to think. It violated some unthinking beliefs in what makes a secure system and they objected it simply by appearance only. Also I know that just because you have a minority opinion with you does not make you wrong. Also there is no reason to believe that if a group of people are very loud in their opinions and objections that they are in the majority. There is no such thing as a democracy or popularity/loudness scale in the reality of right or wrong.
People's reaction to this is just stupid. Posted Nov 20, 2009 10:49 UTC (Fri) by russell (subscriber, #10458) [Link]
Installing software is not mundane. Do you really want user upgrading the system. Possibly breaking the system because it may require kernel packages not available in fedora, or because the repo is currently broken ( don't say it doesn't happen, because it does ).
Your assertion about local access is totally wrong. You obviously need to secure your computer better.
If users need to install software. They can do it in there own home directory. That's more secure than 1, 2, 3 or 4.
People's reaction to this is just stupid. Posted Nov 21, 2009 17:49 UTC (Sat) by k8to (subscriber, #15413) [Link]
There are some OK points in your rant, but explicit su - is more secure than the other options.
su -
Or really, what i do:
I open a terminal for root activities, color it red, and creat a completely new login as root. I use that terminal for packaging, or editing config files, and not much more.
The programs that get exposed via my methods:
- the shell
PolicyKit might be able to cut out the editor, but it still has to use those programs and several additional ones. The system is more complex and harder to inspect. My environment is not polluted from the user's.
Really this is the most simple, and the most secure, and the most easily inspected method. My reaction to PolicyKit is "I hope i can prevent it from being used on my distribution."
|
|
||||||||||||