Comment 9 for bug 1219337

Marc Deslauriers (mdeslaur) wrote :

Only administrators can change the local time without authenticating. Regular non-administrative users cannot. This allows administrative users travelling with laptops to change the timezone without getting an authentication prompt.

Your attack vector assumes that an administrative user is going to leave an open session unattended. If that is the case, there are a whole slew of attacks that are possible, and don't require changing the date. For example, creating scripts in ~/bin that are higher in the path then system binaries.

If you have administrative users that are leaving session unlocked, you have a more serious security issue than being able to change the time.

Since your local security policy is different than what is shipped in a general purpose operating system, I suggest:

1- Requiring your administrative users to lock their workstation when they are left unattended.
2- Requiring your administrative users to use "sudo -k" to forcibly invalidate cached credentials.
3- Removing the policykit-desktop-privileges package, or overriding the policy with a local one.
4- Disabling ntp, or setting up ntp authentication.
5- Setting a firmware password on local machines.