Partly in response to Linus Torvalds's (in)famous Google+
rant about desktop security—openSUSE in particular—Andreas
Jaeger and others have started gathering use cases for the administration
of Linux systems. The target is to try to find a balance between security
and convenience for openSUSE users. Part of the difficulty is that Linux
distributions are installed on a variety of systems with very different
security needs, which makes it difficult to choose any particular default
A single-user desktop or laptop has very different security needs from
those of a shared desktop or server. Torvalds's complaint was specifically
about the root password being needed to add a printer to his daughter's
laptop, but he was also unhappy with needing privileges to change the
time zone and wireless network. For a system where the only user is also
the administrator—at least a semi-privileged administrator—it
makes sense to allow those kinds of changes without the root password. But
on other systems, like shared machines or servers, it almost certainly
doesn't make sense for random users to have those powers.
That's where the balancing act comes in. If a distribution is meant to be
installed for several different scenarios, there is no One True Way to set the
privileges of users. Even for single-user systems there are differences.
Torvalds undoubtedly administers his own laptop differently than he wants
his daughter's handled. For the former, he may want to allow package
installation using his own password, the root password, or possibly no
password at all (though one would guess that's not likely). But, for his
daughter's system he wants to hold the root password himself, while
allowing a limited number of privileged operations to be done by her.
While Torvalds is a high-profile user, his complaints are likely similar to
In order to help determine what the right security configuration is for
openSUSE, Jaeger, Marcus Meissner, and Ludwig Nussel put together a list of use
cases that describe tasks that users want to do along with a short
security evaluation of each. Things like setting the system time, accessing the
network, changing firewall settings, adding printers, package installation,
and so on, are listed.
Jaeger also posted a "call
for action" to the opensuse-factory mailing list, asking for feedback and
new use case suggestions.
Much of the resulting conversation centered around the "roles and
profiles" that were also described on the web page. There is a tension
between convenience for single-user machines and those with more
complicated situations, thus higher security needs. But, even among those
who would like to see less
privilege required for some operations on single-user machines, there are
differences of opinion on which operations—and what privilege to
require. For example, Marguerite Su wants
to be able to install software without the root password on a laptop, but
others including Bryen M Yunashko are not
so sure that's what they want.
There are also different classes of package installation to consider.
Installing an update to a package from a "known good" repository is very
different from installing a new package, downgrading a package to an
earlier version, or adding a repository. The credentials required for each
might be different depending on the scenario.
That part of the thread highlights part of the difficulty in finding the
right default settings. The distribution will need to have some way to
specify which of the profiles (e.g. single-user, administered single-user,
multi-user, server, etc.) should govern, say at installation time, but
will also need some way for the overall profile to change, while also
allowing individual users to tweak the settings based on their needs. It
is a more complex problem than it might seem at first.
Suggestions in the thread range from Carlos E. R.'s installation-time dialogs to determine the
right profile to Su's idea of PolKit packages for different profiles and
use cases to Hans Witvliet's more granular
approach with multiple types of administrative roles that could be
assigned to a user. Any or all of those could make up some part of a
solution, but in a response to Witvliet, Jaeger focused on the question of defaults:
You could add all those roles but I fear it makes administration more
difficult. How can we setup in an easy way the most use cases? We still might
need for the last 10% esoteric options a config file to change the defaults
but what is the normal way?
Finding workable defaults that will cover the majority of cases is clearly
needed. Finding a set that will avoid rants like Torvalds's, while still
giving a reasonable level of security to openSUSE users, is paramount. But
there also needs to be a way for those with different needs to adjust the
policies appropriately. Pulling all of that together in a way that is easy
to understand, use, and tweak, will be an even harder problem. But it's a
problem that needs solving and not just for openSUSE;
there are opportunities
for cross-distribution collaboration here as well.
to post comments)