cvs commit: ports/sysutils/hal Makefile ports/sysutils/hal/files patch-hal.conf.in

[Joe Marcus Clarke]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jean-Yves Lefort wrote:
> On Thu, 16 Nov 2006 17:25:09 -0500
> Kris Kennaway <kris at obsecurity.org> wrote:
> 
>> On Thu, Nov 16, 2006 at 10:57:09PM +0100, Jean-Yves Lefort wrote:
>>> On Thu, 16 Nov 2006 16:15:50 -0500
>>> Kris Kennaway <kris at obsecurity.org> wrote:
>>>
>>>> On Thu, Nov 16, 2006 at 07:49:13PM +0000, Jean-Yves Lefort wrote:
>>>>> jylefort    2006-11-16 19:49:13 UTC
>>>>>
>>>>>   FreeBSD ports repository
>>>>>
>>>>>   Modified files:
>>>>>     sysutils/hal         Makefile
>>>>>   Added files:
>>>>>     sysutils/hal/files   patch-hal.conf.in
>>>>>   Log:
>>>>>   Give wheel group members the same rights as operator group members.
>>>> This violates the definition of the wheel group, FYI (even though it
>>>> might seem expedient), so it can be viewed as a weakening of the
>>>> security model.  Prior to this commit, the only right that the wheel
>>>> group had was the ability to attempt to su to root, if the user knows
>>>> the password.
>>> The commit message should have been:
>>>
>>> Give wheel group members the same HAL rights (mount a volume, etc) as
>>> operator group members.
>> Yes, I understood.  My point was that this was precisely the role of
>> the operator group, so you've combined two entities which previously
>> had distinct security behaviours.
> 
> Makes sense. However since the decision was discussed collectively
> I'll wait for other opinions before reverting.

I see Kris' point.  While this isn't a privilege escalation per se, we
are violating the separation of privilege, and it would probably be a
good idea to back this out.

Joe

- --
PGP Key : http://www.marcuscom.com/pgp.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFXPHob2iPiv4Uz4cRAsanAKCYkatHSeT+lupZ4WutXvStjt6gVQCfasGP
x+lsSWEYOqrzllxO87o2AEU=
=yjGr
-----END PGP SIGNATURE-----