[Bug 385159] New: some changes to yast2-security module
https://bugzilla.novell.com/show_bug.cgi?id=385159 Summary: some changes to yast2-security module Product: openSUSE 11.0 Version: Beta 1 Platform: Other OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: YaST2 AssignedTo: jsuchome@novell.com ReportedBy: lnussel@novell.com QAContact: jsrain@novell.com Found By: --- I'd like to suggest to change some defaults in the yast2-security module: - don't put current working directory in $PATH by default. It's ok to offer this but we shouldn't set it - enable sysrq for "Home Workstation" or at least use "176" which is the package default - use cracklib and obscure checks for password checking also for "Home Workstation" as ssh is still on by default - run updatedb as nobody by default always There are some settings that should not be modified at all such as password encryption or uid/gid ranges. Those have nothing to do with a more relaxed or more paranoid security policy. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=385159
User jsuchome@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=385159#c1
Jiří Suchomel
I'd like to suggest to change some defaults in the yast2-security module:
- don't put current working directory in $PATH by default. It's ok to offer this but we shouldn't set it
You mean, set CWD_IN_ROOT_PATH, CWD_IN_USER_PATH to "no" also for "Home Workstation", right?
- enable sysrq for "Home Workstation" or at least use "176" which is the package default
OK.
- use cracklib and obscure checks for password checking also for "Home Workstation" as ssh is still on by default
Currently, obscure checks are off for all predefined settings. But I could do the change, of course.
- run updatedb as nobody by default always
OK.
There are some settings that should not be modified at all such as password encryption or uid/gid ranges. Those have nothing to do with a more relaxed or more paranoid security policy.
But we want to offer some way to modify them, so why should we drop it? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=385159
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=385159#c2
Ludwig Nussel
You mean, set CWD_IN_ROOT_PATH, CWD_IN_USER_PATH to "no" also for "Home Workstation", right?
Yes.
There are some settings that should not be modified at all such as password encryption or uid/gid ranges. Those have nothing to do with a more relaxed or more paranoid security policy.
But we want to offer some way to modify them, so why should we drop it?
Fine to offer them (although the users module would be a better place). Switching the security setting shouldn't change them though. It doesn't make sense to change the password setting on a machine that was installed with md5 method to blowfish just because one wants to switch to "home workstation". Same applies to uid/gid ranges. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=385159
User jsuchome@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=385159#c3
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=385159
User jsuchome@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=385159#c4
Jiří Suchomel
participants (1)
-
bugzilla_noreply@novell.com