Google
  Web www.spinics.net

Re: Security Changes For Fedora 9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]




On 22/12/07 18:00, "fedora-security-list-request@xxxxxxxxxx"
<fedora-security-list-request@xxxxxxxxxx> wrote:
> Message: 1
> Date: Fri, 21 Dec 2007 10:13:21 -0700
> From: Kevin Fenzi <kevin@xxxxxxxxx>
> Subject: Re: Security Changes For Fedora 9
> To: fedora-security-list@xxxxxxxxxx
> Message-ID: <20071221101321.1fd1d3aa@xxxxxxxxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="us-ascii"
> 
> On Thu, 20 Dec 2007 19:29:29 -0800 (PST)
> riley.marquis@xxxxxxxxxxxxxxx wrote:
> 
>> Security Updates For Fedora 9
>> 
>> Greetings!
> 
> Greetings. 

Greetings, indeed.

>> 1: Disable root account / Use Sudo
> 
> There are tradeoffs here. I personally would like to see it continue to
> be enabled until we can figure out more of the issues around disabling
> it. 

As long as enabling root is as simple as setting a root password or some
other simple and automatable procedure I don't care.  But for large scale
remote administration you need direct root access via key-based ssh.

>> 4: GCC Lockdowns
>> With the new GCC-4.3.0 recently built for Fedora 9, we should forbid
>> ordinary users access to the programs it contains, incl. rpmbuild,
>> mock, etc.  Only members of the wheel, koji, and mock groups should
>> have access to software development tools.  Did I miss any groups
>> that should be allowed access?
> 
> I would also say this is a bad idea. We want people to use the tools on
> the machine, don't we?

We do indeed.  In general, limiting access to tools which don't affect the
system you're working on causes issues.  There are always users arguing for
root access or against centralised admin setups, often the very users who
shouldn't have any sort of access to anything.  Limiting access to stuff
simply because it can be done is one of the things that triggers them, and
the more tools this happens to the more likely it is that someone will
forget to open up what should have been open in the first place.

Bjørn
-- 
Bjørn Tore Sund       Phone: 555-84894   Email:   bjorn.sund@xxxxxxxxx
IT department         VIP:   81724       Support: http://bs.uib.no
Univ. of Bergen

When in fear and when in doubt, run in circles, scream and shout.



--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list

[Home]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Red Hat 9 Bible]     [Fedora Bible]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Coolkey]     [Fedora Tools]

Powered by Linux

Google
  Web www.spinics.net