LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Re: Security or Convenience? Defining a better policy

[Posted May 23, 2012 by jake]

From:  Bryen M Yunashko <suserocks-AT-bryen.com>
To:  opensuse-factory-AT-opensuse.org
Subject:  Re: Security or Convenience? Defining a better policy
Date:  Tue, 22 May 2012 09:00:24 -0500
Message-ID:  <1337695224.2307.121.camel@linux-sl6g>
Archive-link:  Article, Thread 

On Tue, 2012-05-22 at 21:40 +0800, Marguerite Su wrote:
> Hi, Andreas,
> 
> personally I think we'd better separate standard Linux server
> environment from single-user  home desktop environment. they're
> totally different....and desktop users are growing in recent years in
> our forums(openSUSE is almost the only usable distro for home use)
> 
I think this is easier said than done.  While we have evidence that
there are a lot of single-user desktop machines, it is less clear how
many of them still use server functionality in the background.  And a
number of people *do* do this for testing purposes, or a makeshift home
server, etc.

So the challenge, if we wanted to address different usages, would be to
create security levels for 1) Servers, 2) Mixed Server/Desktop and 3)
Desktop for Single users (I guess a 4th one for multi-user desktop.)


> eg: I would like YaST2 never ask me root password to install software,
> since it's my laptop and no one else can use it...but it'll surely be
> banned in a security expert's eyes, and I don't know how to adjust it
> for myself
> 
I agree that some basic functionalities shouldn't require passwords.
Obvious are adding wifi networks or printer connections.   However, I
still greatly appreciate requiring a password even on my own machine for
software installations.  If anything, it becomes a gentle reminder to me
that I must exercise my abilities with caution.

Also, unpassworded-software installation, in my opinion, exposes us to
greater risks.  Some malware out there can do a background installation
without your awareness, and without password protection, we've made it
much easier for those miscreants.  The moment we remove this level of
protection, we increase the invitation for malware creators to target
openSUSE installations.

> (no flame war like Linus did, of course I defend and vote for
> openSUSE, but one comment in it is good for me: it's easier for
> security persons to enable it than grandma to disable it)
> 

This poses another question.  Did grandma install openSUSE herself or
did someone else do it for her?  Both scenarios have different security
implications.  (Think in terms of "a little knowledge can be a dangerous
thing.")  :-)


Bryen M Yunashko

> so mix them up may generate no balanced results and may trigger
> another flame war in our forums...
> 
> I hope we may/can have a package called polkit-default-home-use or
> something to fulfill that kind of needs....of course too hurry for
> 12.2, may be later
> 
> Greetings
> 
> Marguerite 

-- 
To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds