User: Password:
Subscribe / Log in / New account

Re: Draft privilege escalation policy for comments

From:  Kevin Kofler <>
Subject:  Re: Draft privilege escalation policy for comments
Date:  Sun, 31 Jan 2010 08:55:53 +0100
Archive-link:  Article, Thread

Adam Williamson wrote:
> I think it's sensible, yeah. It's not really much bureaucracy; I don't
> think it would ever be a good idea to introduce a new privilege
> escalation mechanism without FESco knowing about it...

Right now we're in a phase where a lot of stuff (system-config-*, several 
parts of KDE and some other stuff) is getting ported from running the whole 
app under consolehelper or kdesu to PolicyKit mechanisms. This is generally 
seen as a *good* thing. It'd be really annoying to have to go through a 
FESCo vote for every single one of those.

At the very least, I'd suggest adding the following clause to that 
"Any mechanism which requires administrative authentication to perform the 
privileged action (e.g. auth_admin policy in PolicyKit, kdesu etc.) is NOT a 
privilege escalation mechanism for the purposes of this paragraph."

Rationale: Such a policy does not impact the system's security as you have 
to enter the root password before doing anything dangerous, so none of the 
invariants under "Requirements" can be violated. And additionally, you can 
always as a user run the whole app under e.g. kdesu and thus "escalate your 
privileges" using the root password, so it doesn't make sense to police apps 
providing such a mechanism. What really matters for security is what you can 
do WITHOUT the root password. This is not really clear from the policy as 
written now, adding the suggested sentence would clarify it.

(That said, I don't see even the clarified policy as being necessary. We 
have a set of guidelines, maintainers should follow them, why do we have to 
police them? As I explained before, there is no evidence that this is 
necessary or useful. The PackageKit issue was caused by lack of a policy, 
not lack of enforcement.)

        Kevin Kofler

devel mailing list

(Log in to post comments)

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds