On Mon, 2016-05-30 at 12:05 +0200, Lennart Poettering wrote:
The changed default here is really about defining the lifecycle of
unprivileged code by privileged code, and thus about security.
Security against what? Who is the attacker? What is the threat model?
Bandying about the word "security" to justify a change that clearly
angers a lot of people does not make for a strong argument. It is also
not the case that Fedora puts security above usability or expected
behavior in all cases. The default SELinux policy does not deny
execmem/execstack/etc., even though there is a clear security story for
doing so, because it would break various things (web browsers, some
programming language runtimes, etc.) in ways that aggravate users.
An
unprivileged user should not be able run code at any time it wishes
unless the admin allowed this,
Are we planning to disable cron? Is reconnecting to screen or tmux
sessions suddenly out? VNC? There are literally hundreds of use-cases
this kind of policy would break.
-- Ben