Weekly Edition
Return to the Security page
| |||||||||||||
Exploring options for the openSUSE security policyPartly in response to Linus Torvalds's (in)famous Google+ rant about desktop security—openSUSE in particular—Andreas Jaeger and others have started gathering use cases for the administration of Linux systems. The target is to try to find a balance between security and convenience for openSUSE users. Part of the difficulty is that Linux distributions are installed on a variety of systems with very different security needs, which makes it difficult to choose any particular default security scheme. A single-user desktop or laptop has very different security needs from those of a shared desktop or server. Torvalds's complaint was specifically about the root password being needed to add a printer to his daughter's laptop, but he was also unhappy with needing privileges to change the time zone and wireless network. For a system where the only user is also the administrator—at least a semi-privileged administrator—it makes sense to allow those kinds of changes without the root password. But on other systems, like shared machines or servers, it almost certainly doesn't make sense for random users to have those powers. That's where the balancing act comes in. If a distribution is meant to be installed for several different scenarios, there is no One True Way to set the privileges of users. Even for single-user systems there are differences. Torvalds undoubtedly administers his own laptop differently than he wants his daughter's handled. For the former, he may want to allow package installation using his own password, the root password, or possibly no password at all (though one would guess that's not likely). But, for his daughter's system he wants to hold the root password himself, while allowing a limited number of privileged operations to be done by her. While Torvalds is a high-profile user, his complaints are likely similar to those of others. In order to help determine what the right security configuration is for openSUSE, Jaeger, Marcus Meissner, and Ludwig Nussel put together a list of use cases that describe tasks that users want to do along with a short security evaluation of each. Things like setting the system time, accessing the network, changing firewall settings, adding printers, package installation, and so on, are listed. Jaeger also posted a "call for action" to the opensuse-factory mailing list, asking for feedback and new use case suggestions. Much of the resulting conversation centered around the "roles and profiles" that were also described on the web page. There is a tension between convenience for single-user machines and those with more complicated situations, thus higher security needs. But, even among those who would like to see less privilege required for some operations on single-user machines, there are differences of opinion on which operations—and what privilege to require. For example, Marguerite Su wants to be able to install software without the root password on a laptop, but others including Bryen M Yunashko are not so sure that's what they want. There are also different classes of package installation to consider. Installing an update to a package from a "known good" repository is very different from installing a new package, downgrading a package to an earlier version, or adding a repository. The credentials required for each might be different depending on the scenario. That part of the thread highlights part of the difficulty in finding the right default settings. The distribution will need to have some way to specify which of the profiles (e.g. single-user, administered single-user, multi-user, server, etc.) should govern, say at installation time, but will also need some way for the overall profile to change, while also allowing individual users to tweak the settings based on their needs. It is a more complex problem than it might seem at first. Suggestions in the thread range from Carlos E. R.'s installation-time dialogs to determine the right profile to Su's idea of PolKit packages for different profiles and use cases to Hans Witvliet's more granular approach with multiple types of administrative roles that could be assigned to a user. Any or all of those could make up some part of a solution, but in a response to Witvliet, Jaeger focused on the question of defaults:
You could add all those roles but I fear it makes administration more
difficult. How can we setup in an easy way the most use cases? We still might
need for the last 10% esoteric options a config file to change the defaults
but what is the normal way?
Finding workable defaults that will cover the majority of cases is clearly needed. Finding a set that will avoid rants like Torvalds's, while still giving a reasonable level of security to openSUSE users, is paramount. But there also needs to be a way for those with different needs to adjust the policies appropriately. Pulling all of that together in a way that is easy to understand, use, and tweak, will be an even harder problem. But it's a problem that needs solving and not just for openSUSE; there are opportunities for cross-distribution collaboration here as well. (Log in to post comments)
Exploring options for the openSUSE security policy Posted May 24, 2012 8:18 UTC (Thu) by michaeljt (subscriber, #39183) [Link]
Don't Windows and OS X already solve this by having the concept of privileged and unprivileged users when a user is added? I wouldn't think it would hurt usability so badly to have a drop down box with a few different (the most common) types of privilege category when a user is added. And the mechanisms to handle this nicely are already there.
Exploring options for the openSUSE security policy Posted May 24, 2012 8:35 UTC (Thu) by niner (subscriber, #26151) [Link]
This whole security policy/administrative priviledges thing is a point where Windows and OS X are everything but good examples. I'm not talking about vulnerabilities (perceived or real), but usability. OS X is built around the one desktop user case allowing this user pretty much everything. Windows nags the user with popups which noone understands what they mean or why they come and where everyone just hits OK anyway (of course slightly exagerated). They have not found a good solution either.
Exploring options for the openSUSE security policy Posted May 24, 2012 8:54 UTC (Thu) by AndreE (subscriber, #60148) [Link]
The Windows information display might be useless, but the policy framework isn't. It's granular and allows you to do exactly what we would want here.
Exploring options for the openSUSE security policy Posted May 25, 2012 13:53 UTC (Fri) by vonbrand (subscriber, #4458) [Link] Peter Gutman's phising guidelines say exactly the same as the grandparent: Users have been conditioned to just check "Don't ask again" and click OK on popups, without looking twice (let alone reading). Plus almost all Windows machines I've seen have the lone user as administrator, and no password. Sure, Windows provides the mechanism to manage the machine securely, but it is so much hassle almost nobody does it. Same for Linux as it stands today, you can cobble up something using group permissions and sudo(1), but it requieres an expert to set up for your exact use case, and not even Linus bothers.
Exploring options for the openSUSE security policy Posted May 28, 2012 15:54 UTC (Mon) by hummassa (subscriber, #307) [Link]
> not even Linux bothers.
Probably because, in the case of the PERSONAL {desk,lap,palm}top computer, it makes no sense at all. What I see lacking still (for any platform) is a nice policy (and a nice, simple, proven, etc... policy editor) for corporate *top computers.
Exploring options for the openSUSE security policy Posted May 28, 2012 15:58 UTC (Mon) by hummassa (subscriber, #307) [Link]
s/Linux/Linus/
Exploring options for the openSUSE security policy Posted May 24, 2012 12:48 UTC (Thu) by pjones (subscriber, #31722) [Link]
He should try Fedora 17; we've just spent a *lot* of time making sure that it should boot and install well on modern Macs.
Exploring options for the openSUSE security policy Posted May 24, 2012 13:37 UTC (Thu) by aj (subscriber, #39001) [Link]
What has booting and installation to do with security options?
Exploring options for the openSUSE security policy Posted May 24, 2012 13:39 UTC (Thu) by pjones (subscriber, #31722) [Link]
> What has booting and installation to do with security options?
From his initial rant:
".. and now I need to find a new distro that actually works on the Macbook Air."
Exploring options for the openSUSE security policy Posted May 24, 2012 14:01 UTC (Thu) by jschrod (subscriber, #1646) [Link]
But from his rant it was clear that "actually works" was not meant as "boots and installs easily". Linus' term "works" had more to do with usability vs. security considerations and how they are selected.
So, if Fedora folks would share their decisions -- and the rationale behind it -- which use cases can be done without root and which need root in their DE, that would really contribute to the discussion. Telling that Fedora can be installed on a Macbook Air does not contribute.
E.g., how does Fedora handle the problem that in GNOME 3 setting the time and setting the timezone is combined into one dialog?
Exploring options for the openSUSE security policy Posted May 24, 2012 16:28 UTC (Thu) by ortalo (subscriber, #4654) [Link]
These difficulties were certainly predictable. Something pretty annoying for anyone working in security (yours included btw) is the fact that, ideally, security mechanisms should be *extremely* adaptable both to users needs and to the computer environment.
Such an high need of adaptability never stopped to strike me for more than a decadeof work in the field; and now makes me more and more wonder if it would not be wiser to design an adaptable system from the beginning than to try to define a complete security policy. (Note that I have also evolved with time from desiring strong and robust security properties to hoping for acceptable minimisation of risk at the right place and intrusion tolerance in salvageable areas.) However, this viewpoint evolution is only apparently negative as it also involved a lot of fruitful listening to real end users of "secure" systems.
As a practical example, Linus apparently does not want to enter a password every time to install a printer. But maybe he would *like* to enter a password once in order to deactivate printer install protection.
Defining the "right"(tm) security policy not only involves a lot of technical or organizational know-how, but it also implies that there exist a very powerful authority somewhere that can legitimately impose fixed rules on an entire computer system for its whole lifetime.
Well maybe I should put more work on a real design and try to write a specification in order to check (at least for myself) if it's realistic. But I hope you get the idea, and thanks for reading up to here. :-)
Rodolphe
[1] Such an authority may exist, but in civilian systems maybe only at the core of something like a (criminal) judicial system. Amusing, but not something common. ("Computer, this is policed, I have a warrant; decipher all your disk. You are allowed to start lawyerd concurrently.")
[2] "I accept p2pd connections because X explicitly told me to do it like this on 2012-01-13 11:13 and entered the admin password 3 times to force me to do it. That admin password had been selected at install time 2 years ago and only used 1 time since then, so it thought it would be enough as a proof that it was the legitimate owner."
Exploring options for the openSUSE security policy Posted May 24, 2012 20:56 UTC (Thu) by ras (subscriber, #33059) [Link]
You are making the situation far more complex than it needs to be. The issue is not whether the user should need the root password to make a system wide change. The answer to that is probably "yes".
The real issue is a user changing their time zone should require a system wide change. It only effects them. There are no security implications. Ergo no root password should be required. Ditto for adding a printer for the users exclusive use. Ditto for adding packages only visible to them.
The fact that these operations and others are currently implemented by making system wide changes (and thus require a root password) is the bug, not demanding the password.
Exploring options for the openSUSE security policy Posted May 25, 2012 7:47 UTC (Fri) by aj (subscriber, #39001) [Link]
Changing the timezone happens right now via changing /etc/localtime - and thus is a global option.
For a user changing his own timezone would mean changing the TZ environment variable and restarting programs...
Exploring options for the openSUSE security policy Posted May 25, 2012 7:48 UTC (Fri) by aj (subscriber, #39001) [Link]
I reread your comment - yes, a clever way to make a timezone change that only affects a single user would be nice. It's indeed just not there.
Exploring options for the openSUSE security policy Posted May 25, 2012 9:42 UTC (Fri) by dgm (subscriber, #49227) [Link]
Exploring options for the openSUSE security policy Posted May 25, 2012 20:24 UTC (Fri) by ortalo (subscriber, #4654) [Link]
Thanks for solving the timezone issue (imho).
Whatabout the wider issues then?
Exploring options for the openSUSE security policy Posted May 25, 2012 12:42 UTC (Fri) by dps (subscriber, #5725) [Link]
It is actually possible to install almost anything without root access, including fonts. If it want to use apt-get, rpm or similar technology then you can't do that (at least not most of the time).
You don't need root access even if you are installing programs like wireshark, scsi_id, etc. You might need root privileges to actually *use* some of these programs because they use features which are too dangerous to be given to ordinary mortals.
Exploring options for the openSUSE security policy Posted May 25, 2012 15:17 UTC (Fri) by nybble41 (subscriber, #55106) [Link]
> You don't need root access even if you are installing programs like wireshark, scsi_id, etc. You might need root privileges to actually *use* some of these programs because they use features which are too dangerous to be given to ordinary mortals.
It's still a really good idea to install them as root, however, since the alternative is running programs as root which are writable a non-root user, which is a major security hole. Even if that non-root user is just you, it opens up the possibility of a local privilege escalation by malware running in your unprivileged account.
Exploring options for the openSUSE security policy Posted May 30, 2012 14:34 UTC (Wed) by job (guest, #670) [Link]
For a truly personal computer however, there is no such thing as privilege escalation. All the stuff I care about are accessible from my account. There is nothing useful to an attacker outside my account.
The security model for this use case is clearly very different from a server with several daemons running, or even remotely logged in users.
|
|||||||||||||