[opensuse] yast access restrictions
Hi In windows I can create a GPO which restricts access to an OU e.g. specific areas of the control panel. Do we have anything like this in openSUSE? Specifically, I'd like an OU to have access only to Yast>Hardware>NFS Client Is that possible? L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-07-22 12:58, lynn wrote:
Hi In windows I can create a GPO which restricts access to an OU e.g. specific areas of the control panel. Do we have anything like this in openSUSE?
Hah! None like that. We have file permissions and acls. You can find out the modules you want to restrict, give access to a certain group, and perhaps suid it. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAL6a8ACgkQIvFNjefEBxo5AwCdHv/tFz0VRGKba7r/bZnIwPI9 UCwAn1gAYV/7F6QKXMVUQVjQ8AK8YRQh =Y/Rh -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 22/07/12 13:53, Carlos E. R. wrote:
On 2012-07-22 12:58, lynn wrote:
Hi In windows I can create a GPO which restricts access to an OU e.g. specific areas of the control panel. Do we have anything like this in openSUSE?
Hah! None like that. We have file permissions and acls. You can find out the modules you want to restrict, give access to a certain group, and perhaps suid it.
I was thinking of creating an OU that had restricted access. I can see in Ubuntu they have no real option. But We have Yast so probably have a way of delegating responsibility away from the admin. User x has access only to NFS server User y has access only to /etc/sysconfig In m$ I can do it in a few clicks. Any fedora 389 experts here? Can it do that? Cheers, Steve -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-07-22 17:56, lynn wrote:
On 22/07/12 13:53, Carlos E. R. wrote:
On 2012-07-22 12:58, lynn wrote:
I was thinking of creating an OU that had restricted access. I can see in Ubuntu they have no real option. But We have Yast so probably have a way of delegating responsibility away from the admin.
No way :-) No, sorry, no such thing in Linux world, at least that I have met to this day. Maybe the SLES people have something, dunno.
User y has access only to /etc/sysconfig
You can give access to a file, one by one, using ACLs. Not in an organized way as OUs and GPOs. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAMQ0EACgkQIvFNjefEBxpoKwCgtOajiIBJeQsb42alOf5TbKH9 5+QAoM9L+6rhM71OFkj55i6CZIuwb8qw =LjwB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 22/07/12 20:15, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-07-22 17:56, lynn wrote:
On 22/07/12 13:53, Carlos E. R. wrote:
On 2012-07-22 12:58, lynn wrote:
I was thinking of creating an OU that had restricted access. I can see in Ubuntu they have no real option. But We have Yast so probably have a way of delegating responsibility away from the admin.
No way :-)
No, sorry, no such thing in Linux world, at least that I have met to this day. Maybe the SLES people have something, dunno.
User y has access only to /etc/sysconfig
You can give access to a file, one by one, using ACLs. Not in an organized way as OUs and GPOs.
Mmm. Maybe. OU's give a great way to manipulate groups of users under openLDAP. We now have Samba4 with it's own (realistic) implementation of LDAP and Kerberos. The Schema includes all of rfc2307 and is rock solid on the Linux side. What a great opportunity to take over from where Canonical are sure to cash in. Unless we get there first that is. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-07-22 20:27, lynn wrote:
On 22/07/12 20:15, Carlos E. R. wrote:
Mmm. Maybe. OU's give a great way to manipulate groups of users under openLDAP. We now have Samba4 with it's own (realistic) implementation of LDAP and Kerberos. The Schema includes all of rfc2307 and is rock solid on the Linux side. What a great opportunity to take over from where Canonical are sure to cash in. Unless we get there first that is.
I have seen the equivalent to OU in Unix, unix RTR, text mode only. I don't think samba is the way to go for this. It would be a very big overhauling job. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAMTIIACgkQIvFNjefEBxpqCwCgsKcZMQJVhZHhoJcXHAbXrMCJ 5bAAoLZ070gH26WwvzDvYdLenBlaB+1x =0Ulg -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 22/07/12 20:54, Carlos E. R. wrote:
I have seen the equivalent to OU in Unix, unix RTR, text mode only. I don't think samba is the way to go for this. It would be a very big overhauling job.
On the contrary. It's more or less in place already. Samba4 has OU, GPO LDAP and Kerberos out of the box. Even openLDAP has a schema for Samba3. What we could do with is some way of translating the GPO to Yast. That's more or less what point and click windows admins do most of the day with the windows control panel anyway. Dare I say that Yast has many resemblances to control panel. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-07-22 21:29, lynn wrote:
On 22/07/12 20:54, Carlos E. R. wrote:
I have seen the equivalent to OU in Unix, unix RTR, text mode only. I don't think samba is the way to go for this. It would be a very big overhauling job.
On the contrary. It's more or less in place already. Samba4 has OU, GPO LDAP and Kerberos out of the box. Even openLDAP has a schema for Samba3.
For Windows machines, not Linux machines.
What we could do with is some way of translating the GPO to Yast.
That's more or less what point and click windows admins do most of the day with the windows control panel anyway.
Dare I say that Yast has many resemblances to control panel.
But the underlying permissions system does not. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAMYUoACgkQIvFNjefEBxoh1QCgvBDxA1ZUjenflgXdBLO6IcYC 5eAAoJkpXWEeukE/5bS975H2I953AH58 =1GPJ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 22/07/12 22:23, Carlos E. R. wrote:
On the contrary. It's more or less in place already. Samba4 has OU, GPO LDAP and Kerberos out of the box. Even openLDAP has a schema for Samba3.
For Windows machines, not Linux machines.
Nope. Yast already caters for the openLDAP schema which include both windows and Linux machines. OU, LDAP backends and Krb5 are all there. It's a closely guareded Yast secret because most of us have no idea what the yast Samba Server module can do.
Dare I say that Yast has many resemblances to control panel.
But the underlying permissions system does not.
Hi Carlos, hi everyone. The underlying permissions (Posix or NT) do indeed allow us to do that already. The Samba guys work _very_ hard to make it do so. Easy example: A mapping which lets both Linux and windows admins create a new user with both rfc2307 and windows classes and attributes? That user then has SSO to log onto a windows or Linux clients in the forest. Yast can do that already under Samba3. Try Yast > LDAP Server L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-07-22 22:47, lynn wrote:
On 22/07/12 22:23, Carlos E. R. wrote:
On the contrary. It's more or less in place already. Samba4 has OU, GPO LDAP and Kerberos out of the box. Even openLDAP has a schema for Samba3.
For Windows machines, not Linux machines.
Nope. Yast already caters for the openLDAP schema which include both windows and Linux machines. OU, LDAP backends and Krb5 are all there. It's a closely guareded Yast secret because most of us have no idea what the yast Samba Server module can do.
I don't believe that the tools and the definitions to change the ACLs of all the files involved in, for example, NFS client configuration, are there, even if you have a working ldap database. Control the permissions to log in Linux, yes. Finely control the permissions to do somethings only, no. If such a thing existed, I'm sure someone of the yast or suse teams would pop in and say "yes, we have that". - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlANzmgACgkQIvFNjefEBxpyawCfWowZthLIKXQykSWdxhI2QENQ OmIAn0SlpXuaK+yEvjjjtK6Sx54sbtUz =6wUo -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 24 Jul 2012 07:51:28 Carlos E. R. wrote:
On 2012-07-22 22:47, lynn wrote:
On 22/07/12 22:23, Carlos E. R. wrote:
On the contrary. It's more or less in place already. Samba4 has OU, GPO LDAP and Kerberos out of the box. Even openLDAP has a schema for Samba3.
For Windows machines, not Linux machines.
Nope. Yast already caters for the openLDAP schema which include both windows and Linux machines. OU, LDAP backends and Krb5 are all there. It's a closely guareded Yast secret because most of us have no idea what the yast Samba Server module can do.
I don't believe that the tools and the definitions to change the ACLs of all the files involved in, for example, NFS client configuration, are there, even if you have a working ldap database. Control the permissions to log in Linux, yes. Finely control the permissions to do somethings only, no.
What about AppArmour? Can't that do it?
If such a thing existed, I'm sure someone of the yast or suse teams would pop in and say "yes, we have that".
Maybe time for a feature request? -- ========================================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au ========================================================================== -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 24 Jul 2012 18:35:24 Rodney Baker wrote:
On Tue, 24 Jul 2012 07:51:28 Carlos E. R. wrote:
On 2012-07-22 22:47, lynn wrote:
On 22/07/12 22:23, Carlos E. R. wrote:
On the contrary. It's more or less in place already. Samba4 has OU, GPO LDAP and Kerberos out of the box. Even openLDAP has a schema for Samba3.
For Windows machines, not Linux machines.
Nope. Yast already caters for the openLDAP schema which include both windows and Linux machines. OU, LDAP backends and Krb5 are all there. It's a closely guareded Yast secret because most of us have no idea what the yast Samba Server module can do.
I don't believe that the tools and the definitions to change the ACLs of all the files involved in, for example, NFS client configuration, are there, even if you have a working ldap database. Control the permissions to log in Linux, yes. Finely control the permissions to do somethings only, no.
What about AppArmour? Can't that do it?
Nevermind - it appears not (I just had a look). But I'm pretty sure SELinux has a mechanism to do this. It's been a long time since I played with it, though.
If such a thing existed, I'm sure someone of the yast or suse teams would pop in and say "yes, we have that".
Maybe time for a feature request?
-- ========================================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au ========================================================================== -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-07-24 11:15, Rodney Baker wrote:
On Tue, 24 Jul 2012 18:35:24 Rodney Baker wrote:
On Tue, 24 Jul 2012 07:51:28 Carlos E. R. wrote:
On 2012-07-22 22:47, lynn wrote:
What about AppArmour? Can't that do it?
Nevermind - it appears not (I just had a look). But I'm pretty sure SELinux has a mechanism to do this. It's been a long time since I played with it, though.
ACL can do it, I think, but it requires someone designing a long list of what binaries must run for the desired action (say, configure nfs in yast), and what files you must have read or write access, then define a group that has all those permissions defined. And you have to do this for the hundred different actions you can permit or not. Once done, you can assign users to those action groups. Then you need months or years to test all this. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAOcfoACgkQIvFNjefEBxoWIACguHyOMBtZw5z4RhTbTBPjs2Sf cqEAn0jyeqWTfU0ELOwA5+HH4J4iQg8T =ER2b -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. said the following on 07/24/2012 05:59 AM:
ACL can do it, I think, but it requires someone designing a long list of what binaries must run for the desired action (say, configure nfs in yast), and what files you must have read or write access, then define a group that has all those permissions defined. And you have to do this for the hundred different actions you can permit or not. Once done, you can assign users to those action groups. Then you need months or years to test all this.
You've just described why I've always {hated,despised} ACL as an access control mechanism. Lists? Think Mikado! With a little thought the UNIX groups mechanism can come close to a RBAC-like functionality. The thing is that instead of thinking in terms of lists you need to think in terms of set-theory, which can be a bit of a stretch, since this is way beyond what gets taught in schools. http://en.wikipedia.org/wiki/Role-based_access_control <quote> RBAC differs from access control lists (ACLs), used in traditional discretionary access-control systems, in that it assigns permissions to specific operations with meaning in the organization, rather than to low level data objects. </quote> The key is to create new groups to define the functional layers you need rather than just accept the out-of-the-box groups in /etc/group that come with the distribution. Groups as roles and groups as capability are separate. The result, if you look at it from the contents of /etc/group, certainly looks like lists, but sets membership has to be written down somehow. Google a little ... RBAC using AppArmour with Suse http://wiki.apparmor.net/index.php/RBAC_2_3 http://wiki.apparmor.net/index.php/AppArmorRBAC Even without AppArmour, the use of PAM is interesting There's also pam_capability which can implement a form of RBAC using the Capability functions. Novell RBAC using LDAP http://www.novell.com/communities/node/1656/nam%20open%20lab%205%3A%20settin... RBAC with SELinux http://www.ibm.com/developerworks/linux/library/l-rbac-selinux/ Explanation of RBAC in SELinux (section 6.1.1) http://flylib.com/books/en/2.803.1.47/1/ See also http://it.toolbox.com/wiki/index.php/UNIX_Groups_and_RBAC_Roles http://www.linuxlinks.com/article/20110414155714166/MAC-RBAC-Tools.html http://en.wikipedia.org/wiki/Grsecurity http://seedit.sourceforge.net/doc/2.0/rbac_guide.pdf or go google for yourself. There's a lot out there on ways to use and implement RBAC and the principles behind it. -- I would rather be exposed to the inconveniences attending too much liberty, than those attending too small a degree of it. --Thomas Jefferson (letter to Archibald Stuart, Dec. 23, 1791, on the encroachments of state governments) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 22 Jul 2012 12:58:29 +0200, lynn
In windows I can create a GPO which restricts access to an OU e.g. specific areas of the control panel. Do we have anything like this in openSUSE?
In unix access there is only discrimination between root and the normal user. The concept of role based is still rather alien and YaST until now has no way to limit access to certain parts to specific users. Philipp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Anton Aylward
-
Carlos E. R.
-
lynn
-
Philipp Thomas
-
Rodney Baker