Kam Leo wrote:
> It's the person in front of the keyboard/clicking mouse that makes the
> difference. Throwing in a requirement to log in as a user just delays
> the inevitable.
The difference is malicious software running under your user account. I
can't really judge how serious a threat it is, also compared to other
threats such as malicious RPM scriptlets (which run as root), but it
definitely exists, and that's what the password prompts are supposed to
protect against.
Another thing to keep in mind is that when you authenticate as root to
PolicyKit, you do not start running stuff as root directly, you get
permissions for only some specific actions. If the permissions are
remembered, this means an entry in a sort of database which remembers that
you are allowed to do that specific action (e.g. update your system), in no
event does PolicyKit remember the root password in your user account or
remember something like "user X is allowed to do everything root can do".
Kevin Kofler
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
