|| ||Adam Williamson <awilliam-AT-redhat.com> |
|| ||Development discussions related to Fedora <fedora-devel-list-AT-redhat.com> |
|| ||Re: Local users get to play root? |
|| ||Thu, 19 Nov 2009 12:11:40 -0800|
|| ||Article, Thread
On Thu, 2009-11-19 at 09:02 -0800, Jesse Keating wrote:
> On Thu, 2009-11-19 at 10:32 -0600, Chris Adams wrote:
> > Once upon a time, Jesse Keating <email@example.com> said:
> > > That is incorrect, unless somehow your ssh tunneled VNC registers as
> > > "local console login", which I doubt. In your case, none of your users
> > > would be allowed to install software/updates.
> > VNC looks like a local console login.
> > --
> > Chris Adams <firstname.lastname@example.org>
> > Systems and Network Administrator - HiWAAY Internet Services
> > I don't speak for anybody but myself - that's enough trouble.
> Not according to what I'm being told by the Desktop folks, at least as
> far as PolicyKit and ConsoleKit are concerned.
> <Oxf13> hrm, in the world of PolicyKit and ConsoleKit, does a VNC login
> look like a "console" login for the sake of policy?
> <hughsie> Oxf13: no
> <hughsie> if you log in, then start remote desktop, and then allow other
> users to connect then it does
> <hughsie> if you're just using vnc to create a virtual desktop for users
> then it's not on_console, so to speak
which points out that one could use x11vnc to exploit this method. As
x11vnc's page says:
"x11vnc allows one to view remotely and interact with real X displays
(i.e. a display corresponding to a physical monitor, keyboard, and
mouse) with any VNC viewer."
certainly seems to fit the bill. the bugzilla comment notes that a
remote user could install a copy of x11vnc in his home directory and use
it to gain 'local console' access, there is no need to install it
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
fedora-devel-list mailing list
to post comments)