LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Re: Security or Convenience? Defining a better policy

[Posted May 23, 2012 by jake]

From:  Andreas Jaeger <aj-AT-suse.com>
To:  opensuse-factory-AT-opensuse.org
Subject:  Re: Security or Convenience? Defining a better policy
Date:  Wed, 23 May 2012 14:23:22 +0200
Message-ID:  <201205231423.22257.aj@suse.com>
Cc:  Hans Witvliet <suse-AT-a-domani.nl>, suserocks-AT-bryen.com
Archive-link:  Article, Thread 

On Tuesday, May 22, 2012 21:41:07 Hans Witvliet wrote:
> On Tue, 2012-05-22 at 12:46 -0500, Bryen M Yunashko wrote:
> > On Tue, 2012-05-22 at 14:40 -0300, Claudio Freire wrote:
> > > So I'd kindly suggest that a yast module for that, and sensible
> > > defaults, would be a priority.
> > 
> > Perhaps it would be a better approach here if we came up with a
> > comprehensive list of items that need to remain security-protected
> > versus not needed.  Or does such a list exist somewhere already?
> 
> Excuse me for jumping into the middle of the thread..
> 
> But does it have to be binary: either-or-not?
> I would rather see a more granular approach...
> 
> How about defining an "admin" group.
> You should be able to add some users to that group.
> 
> And all of those "admins"  should be able to manage printers, wifi-stuf,
> and updates.
> 
> Or even better: create multiple groups: each for its own group of
> applications.
> So some users might be able to fiddle with wifi, but nothing else, while
> others are only allowed to do updates
> 
> For an ordinary home-users, the default user should be member of all
> those admin groups, while on office-laptops, one should be able to do
> wifi and printers, but remains properly shielded from installing
> malware.
> 
> I think one should be able to create a reasonable list of allications
> that deserve there own admin-group:
> 
> software (general)
> updates
> network (general)
> wifi
> printers
> apache
> database
> ldap
> mail

What about the following if you're the apache admin:

The yast2 apache module might need to install other packages - should this 
be allowed or not?

You could add all those roles but I fear it makes administration more 
difficult. How can we setup in an easy way the most use cases? We still might 
need for the last 10% esoteric options a config file to change the defaults 
but what is the normal way?

Andreas
-- 
 Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi
  SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
   GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg)
    GPG fingerprint = 93A3 365E CE47 B889 DF7F  FED1 389A 563C C272 A126
-- 
To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds