cvs commit: ports/sysutils/hal Makefile ports/sysutils/hal/files
patch-hal.conf.in
Joe Marcus Clarke
marcus at marcuscom.com
Thu Nov 16 23:18:35 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jean-Yves Lefort wrote:
> On Thu, 16 Nov 2006 17:25:09 -0500
> Kris Kennaway <kris at obsecurity.org> wrote:
>
>> On Thu, Nov 16, 2006 at 10:57:09PM +0100, Jean-Yves Lefort wrote:
>>> On Thu, 16 Nov 2006 16:15:50 -0500
>>> Kris Kennaway <kris at obsecurity.org> wrote:
>>>
>>>> On Thu, Nov 16, 2006 at 07:49:13PM +0000, Jean-Yves Lefort wrote:
>>>>> jylefort 2006-11-16 19:49:13 UTC
>>>>>
>>>>> FreeBSD ports repository
>>>>>
>>>>> Modified files:
>>>>> sysutils/hal Makefile
>>>>> Added files:
>>>>> sysutils/hal/files patch-hal.conf.in
>>>>> Log:
>>>>> Give wheel group members the same rights as operator group members.
>>>> This violates the definition of the wheel group, FYI (even though it
>>>> might seem expedient), so it can be viewed as a weakening of the
>>>> security model. Prior to this commit, the only right that the wheel
>>>> group had was the ability to attempt to su to root, if the user knows
>>>> the password.
>>> The commit message should have been:
>>>
>>> Give wheel group members the same HAL rights (mount a volume, etc) as
>>> operator group members.
>> Yes, I understood. My point was that this was precisely the role of
>> the operator group, so you've combined two entities which previously
>> had distinct security behaviours.
>
> Makes sense. However since the decision was discussed collectively
> I'll wait for other opinions before reverting.
I see Kris' point. While this isn't a privilege escalation per se, we
are violating the separation of privilege, and it would probably be a
good idea to back this out.
Joe
- --
PGP Key : http://www.marcuscom.com/pgp.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFXPHob2iPiv4Uz4cRAsanAKCYkatHSeT+lupZ4WutXvStjt6gVQCfasGP
x+lsSWEYOqrzllxO87o2AEU=
=yjGr
-----END PGP SIGNATURE-----
More information about the cvs-all
mailing list