Dailydave mailing list archives

Re: Fedora 12 Fail

From: Kees Cook <kees () ubuntu com>
Date: Thu, 19 Nov 2009 12:20:58 -0800

On Wed, Nov 18, 2009 at 09:32:28PM -0500, Dave Aitel wrote:

To sum it up, Fedora 12 is defaulting to "Any user can install any
package from the repo and then exploit it to get root". So like, if


I've seen variations on this sentence get repeated in a few places and I
think it's valuable to point out it should read as "Any _local_ user..."
(where "local" is defined by console-kit[1] -- see "ck-list-sessions"
command).  This makes it a smaller scope of problem, but it should not
discourage anyone from reading the bug report anyway:
https://bugzilla.redhat.com/show_bug.cgi?id=534047

-Kees

[1] http://www.freedesktop.org/software/ConsoleKit/doc/ConsoleKit.html#Session:is-local

-- 
Kees Cook
Ubuntu Security Team
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Fedora 12 Fail Dave Aitel (Nov 18)
- Re: Fedora 12 Fail Michael Graham (Nov 18)
  - Re: Fedora 12 Fail dan (Nov 19)
- Re: Fedora 12 Fail Kees Cook (Nov 19)