Should openSUSE review it's Security Policies?

classic Classic list List threaded Threaded
207 messages Options
12345 ... 11
Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

James Knott
Marcus Meissner wrote:
>> By all means, make it an option that's even turned on by default, but
>> >  allow root to set it to what's required.
> read my email.

????

I haven't seen any other email from you on this.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

Marcus Meissner
In reply to this post by John Andersen-2
On Wed, Feb 29, 2012 at 01:34:14PM -0800, John Andersen wrote:

> On 2/29/2012 1:14 PM, Marcus Meissner wrote:
> >On Wed, Feb 29, 2012 at 02:40:13PM -0500, Larry Stotler wrote:
> >>As many are aware, Linus Torvalds has started a rant about the
> >>security policies in openSUSE for things that require the root
> >>password.  From his Google+
> >>post(https://plus.google.com/102150693225130002912/posts/1vyfmNCYpi5),
> >>he names these:
> >>
> >>Time Zone changes
> >>Adding a Printer
> >>Adding a wireless network.
> >>
> >>Now, I don't usually see the wireless issue because KNetworkmanager in
> >>KDE3(which I use) has never asked the root password for adding a new
> >>network.
> >>
> >>While at 37, I've never changed timezones(I lead a boring life) I
> >>would have to agree that having to use the root password for this
> >>would be annoying if I needed to change it because of a flight or
> >>something.
> >>
> >>I've worked with Linus on a hardware issue years ago, and I think we
> >>should probably at least consider reviewing the policies if they do
> >>need changed.
> >
> >He should stop asking us to commit suicide first.
> >
> >Ciao, Marcus
>
> I think the entire point here is that the multi-user security model is not
> a good
> fit for a single user device like a laptop.
>
> For single user devices, permissions should really focus on preventing
> the user from destroying the system or letting it be compromised by others,
> but in
> other ways, allow them to do typical administrative tasks like add
> printers, wifi
> networks, removable storage, etc.
>
> I don't think you can dismiss Torvalds with a one-liner and come off looking
> anything but petty.

read my other mail.

Ciao, Marcus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

Steven Hess-3
On Wed, Feb 29, 2012 at 1:44 PM, Marcus Meissner <[hidden email]> wrote:

>
> On Wed, Feb 29, 2012 at 01:34:14PM -0800, John Andersen wrote:
> > On 2/29/2012 1:14 PM, Marcus Meissner wrote:
> > >On Wed, Feb 29, 2012 at 02:40:13PM -0500, Larry Stotler wrote:
> > >>As many are aware, Linus Torvalds has started a rant about the
> > >>security policies in openSUSE for things that require the root
> > >>password.  From his Google+
> > >>post(https://plus.google.com/102150693225130002912/posts/1vyfmNCYpi5),
> > >>he names these:
> > >>
> > >>Time Zone changes
> > >>Adding a Printer
> > >>Adding a wireless network.
> > >>
> > >>Now, I don't usually see the wireless issue because KNetworkmanager in
> > >>KDE3(which I use) has never asked the root password for adding a new
> > >>network.
> > >>
> > >>While at 37, I've never changed timezones(I lead a boring life) I
> > >>would have to agree that having to use the root password for this
> > >>would be annoying if I needed to change it because of a flight or
> > >>something.
> > >>
> > >>I've worked with Linus on a hardware issue years ago, and I think we
> > >>should probably at least consider reviewing the policies if they do
> > >>need changed.
> > >
> > >He should stop asking us to commit suicide first.
> > >
> > >Ciao, Marcus
> >
> > I think the entire point here is that the multi-user security model is
> > not
> > a good
> > fit for a single user device like a laptop.
> >
> > For single user devices, permissions should really focus on preventing
> > the user from destroying the system or letting it be compromised by
> > others,
> > but in
> > other ways, allow them to do typical administrative tasks like add
> > printers, wifi
> > networks, removable storage, etc.
> >
> > I don't think you can dismiss Torvalds with a one-liner and come off
> > looking
> > anything but petty.
>
> read my other mail.
>
> Ciao, Marcus
> --
> To unsubscribe, e-mail: [hidden email]
> To contact the owner, e-mail: [hidden email]
>

You are going to have many opinions on the level of security different
systems need to have.
Some are going to be very firm against any changes at all.

All security should be able to be configured directly from YAST.
The man-power may not be there to implement it in a complete form though.
A user or administrator should be able to set the level of permissions
once and forget it.

Steven
--
____________
Steven L Hess ARS KC6KGE DM05gd22
Skype user flamebait Cell 661 487 0357 (Facetime)
Google Voice 661 769 6201
openSUSE  Linux 12.1
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

Jim Henderson-4
In reply to this post by Marcus Meissner
On Wed, 29 Feb 2012 22:14:09 +0100, Marcus Meissner wrote:

>> I've worked with Linus on a hardware issue years ago, and I think we
>> should probably at least consider reviewing the policies if they do
>> need changed.
>
> He should stop asking us to commit suicide first.

Clearly he was frustrated in his experience.  He ran into a problem,
tried to get it addressed (apparently), and got frustrated with pushback
he got (I've not read the relevant bug, so I'm inferring that from his
comment on G+).

Just because he expressed himself poorly doesn't mean he doesn't have a
valid point, Marcus.  We shouldn't ignore the point just because it was
poorly expressed.

Jim
--
 Jim Henderson
 Please keep on-topic replies on the list so everyone benefits

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

jdd@dodin.org
In reply to this post by James Knott
Le 29/02/2012 21:25, James Knott a écrit :

> and WiFi. Should they tell their boss "Sorry I can't use my computer,
> because I need a password to use a printer and WiFi"?

yes. and add give me a simple way to do the task: give me sudo printer
group access

jdd

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

jdd@dodin.org
In reply to this post by Robert Schweikert-6
Le 29/02/2012 21:27, Roger Oberholtzer a écrit :

> I think the issue is fine-grained permissions.
>
>

read man sudoer

jdd

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

jdd@dodin.org
In reply to this post by Jim Henderson-4
did somebody yet notice that default install is with root passwd
identical to user passwd?

sure I never let this go through, but this solve definitively the problem

jdd

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

Jim Henderson-4
On Thu, 01 Mar 2012 00:23:02 +0100, jdd wrote:

> did somebody yet notice that default install is with root passwd
> identical to user passwd?

Identical to the initial user password.  On multiuser systems, the user
passwords aren't all valid for root, obviously. :)

Jim
--
 Jim Henderson
 Please keep on-topic replies on the list so everyone benefits

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

Carlos E. R.-2
In reply to this post by jdd@dodin.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2012-03-01 00:23, jdd wrote:
> did somebody yet notice that default install is with root passwd identical
> to user passwd?
>
> sure I never let this go through, but this solve definitively the problem

Nope, that's the user that did the system setup and he is also the root,
with same password or different. He will not give the root password to the
rest of users. It is those users who have problems.

And is no different in Windows, by the way.

- --
Cheers / Saludos,

                Carlos E. R.
                (from 11.4 x86_64 "Celadon" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk9OtrwACgkQIvFNjefEBxrWfgCgvVB1RhWjKCwgEeAyBeDpq7vr
IxwAoLjHsexEUNzx/sAKFU4k93aWqsXj
=T7lb
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

Steven Hess-3
On Wed, Feb 29, 2012 at 3:37 PM, Carlos E. R.
<[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2012-03-01 00:23, jdd wrote:
>> did somebody yet notice that default install is with root passwd identical
>> to user passwd?
>>
>> sure I never let this go through, but this solve definitively the problem
>
> Nope, that's the user that did the system setup and he is also the root,
> with same password or different. He will not give the root password to the
> rest of users. It is those users who have problems.
>
> And is no different in Windows, by the way.
>
> - --
> Cheers / Saludos,
>
>                Carlos E. R.
>                (from 11.4 x86_64 "Celadon" at Telcontar)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk9OtrwACgkQIvFNjefEBxrWfgCgvVB1RhWjKCwgEeAyBeDpq7vr
> IxwAoLjHsexEUNzx/sAKFU4k93aWqsXj
> =T7lb
> -----END PGP SIGNATURE-----
> --
> To unsubscribe, e-mail: [hidden email]
> To contact the owner, e-mail: [hidden email]
>

This is easily configured the traditional way during set up.
My single user system has user and root passwords.


--
____________
Steven L Hess ARS KC6KGE DM05gd22
Skype user flamebait Cell 661 487 0357 (Facetime)
Google Voice 661 769 6201
openSUSE  Linux 12.1
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

James Knott
In reply to this post by Robert Schweikert-6
Robert Schweikert wrote:

>
>
> On 02/29/2012 03:13 PM, jdd wrote:
>> Le 29/02/2012 20:40, Larry Stotler a écrit :
>>> As many are aware, Linus Torvalds has started a rant about the
>>> security policies
>>
>> what about give sudo rights to his daugther?
>
> That was one of the suggestions in the google+ comments.
>
>
>

I would expect he would know about that.  However, if that's buried in
network manager, then sudo might not be suitable.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

Carlos E. R.-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2012-03-01 03:45, James Knott wrote:
> Robert Schweikert wrote:

>>> what about give sudo rights to his daugther?
>>
>> That was one of the suggestions in the google+ comments.
>
> I would expect he would know about that.  However, if that's buried in
> network manager, then sudo might not be suitable.

It is not simple. It requires that sudoers be configured in a certain way
(quite different than the current default as shipped) and then the network
manager (or printer config or whatever) has to be implemented in a certain way.

Sudo is an antique delegation method, not well suited for current day
graphical apps.

- --
Cheers / Saludos,

                Carlos E. R.
                (from 11.4 x86_64 "Celadon" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk9O48oACgkQIvFNjefEBxorOgCeLnbKUGVHXGH/Pp35Lc+Dbu6P
gxgAoMy+qEu0Jtf+wgiaHztOKj2Mu1cT
=Jn2m
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

James Knott
In reply to this post by jdd@dodin.org
jdd wrote:
> did somebody yet notice that default install is with root passwd
> identical to user passwd?
>
> sure I never let this go through, but this solve definitively the problem
>
> jdd
>

How does it solve the problem if an employer doesn't want to give
employees root access, but expects them you be able to use WiFi?

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

James Knott
In reply to this post by Steven Hess-3
Steven Hess wrote:
> This is easily configured the traditional way during set up.
> My single user system has user and root passwords.

This is not a problem for me on my own computer, because I know both
root and user passwords.  However, in a corporate environment, you
generally don't give users root access.  As I mentioned, I was given a
computer for use on an insurance company's network.  It runs Windows 7
and I can use it with WiFi and connecting to new printers.  If I had
been given a computer running openSUSE 12.1, I would not be able to do
my work.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

Carlos E. R.-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2012-03-01 03:57, James Knott wrote:
> Steven Hess wrote:

> As I mentioned, I was given a computer for
> use on an insurance company's network.  It runs Windows 7 and I can use it
> with WiFi and connecting to new printers.  If I had been given a computer
> running openSUSE 12.1, I would not be able to do my work.

I can configure that Windows machine so that you can not do any of that. It
is in fact the default config.

- --
Cheers / Saludos,

                Carlos E. R.
                (from 11.4 x86_64 "Celadon" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk9O5mIACgkQIvFNjefEBxoUZgCdFq+qkjbN4dTwTW+vcupDfUxg
Jf8AoMEhCymTEjidD1iPflJpKbmhO87r
=9hD+
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

John Andersen-2
In reply to this post by Carlos E. R.-2
On 2/29/2012 6:49 PM, Carlos E. R. wrote:
> It is not simple. It requires that sudoers be configured in a certain way
> (quite different than the current default as shipped) and then the network
> manager (or printer config or whatever) has to be implemented in a certain way.
>
> Sudo is an antique delegation method, not well suited for current day
> graphical apps.
>
> - --
> Cheers / Saludos,

Well said.

A mess to set up too.  The current YAST configuration utility seems overly obtuse
in an attempt to be capable of doing everything.  A simpler check box list of tasks
would be easier to set up.


--
_____________________________________
---This space for rent---
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

James Knott
In reply to this post by Carlos E. R.-2
Carlos E. R. wrote:
> I can configure that Windows machine so that you can not do any of that. It
> is in fact the default config.

I have never needed admin password to use WiFi in Windows.  I don't
recall using one to set up a printer either.  BTW, my own ThinkPad,
which I normally run Linux on, came with Windows 7 Professional.  Even
though I run as a user, with Admin a separate account, I haven't need
the admin password to set up a Wifi connection.
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

Carlos E. R.-2
In reply to this post by John Andersen-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2012-03-01 04:03, John Andersen wrote:
> On 2/29/2012 6:49 PM, Carlos E. R. wrote:

> A mess to set up too.  The current YAST configuration utility seems overly obtuse
> in an attempt to be capable of doing everything.  A simpler check box list
> of tasks would be easier to set up.

But that is complex to create. What tool do we have that allows that usage?
I don't know, perhaps it is policy kit.

- --
Cheers / Saludos,

                Carlos E. R.
                (from 11.4 x86_64 "Celadon" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk9O6TgACgkQIvFNjefEBxpOkQCgqOoZ5f5kCzZBF7xPfCQnWob7
YpwAoISbLIGuYiM/gxpIEtLPE1GrU9Ge
=WCYX
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

Carlos E. R.-2
In reply to this post by James Knott
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2012-03-01 04:11, James Knott wrote:
> Carlos E. R. wrote:
>> I can configure that Windows machine so that you can not do any of that. It
>> is in fact the default config.
>
> I have never needed admin password to use WiFi in Windows.

Because you are already the administrator. In my windows machine I can't
setup the wifi network or printer.

- --
Cheers / Saludos,

                Carlos E. R.
                (from 11.4 x86_64 "Celadon" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk9O6YcACgkQIvFNjefEBxpS4wCgq96kJNduvuA/WcOB68vra7JF
NHoAmwcGvB/P5ivlzZzFR0z84yh/TDWk
=cuM/
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Should openSUSE review it's Security Policies?

John Andersen-2
In reply to this post by Carlos E. R.-2
On 02/29/2012 07:12 PM, Carlos E. R. wrote:

> On 2012-03-01 04:03, John Andersen wrote:
>> On 2/29/2012 6:49 PM, Carlos E. R. wrote:
>
>> A mess to set up too.  The current YAST configuration utility
>> seems overly obtuse in an attempt to be capable of doing
>> everything.  A simpler check box list of tasks would be easier to
>> set up.
>
> But that is complex to create. What tool do we have that allows
> that usage? I don't know, perhaps it is policy kit.
>

Well, there are a few things that a user would commonly need to do.
Some of these are already mentioned on this thread,
printers
wifi
apply security updates
certain connections to Windows networks
maybe some mounting issues for odd things, phones, etc
Run full Yast...
maybe 4 or 5 things I haven't thought of...

So you have a few things like this on a Yast page Named
Common SUDO tasks, and you select the user, then check the items
that user should get to use.

Typically you'd give a young kid the ability to only
to hook up to wifi,
Maybe add a printer

Then as they get older you allow them to
apply updates
Maybe run yast.

So instead of being something so open ended as the current Yast SUDO
setup, it would be much simpler.  You could add tasks to the list using
/etc/sysconfig if needed.

The use case I see for this is more likely aimed at the corporate
laptop, where you don't really want to bug the IT department every
time there is a security patch to apply.



--
Explain again the part about rm -rf /
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

12345 ... 11