Mailinglist Archive: opensuse-factory (883 mails)
| < Previous | Next > |
Re: [opensuse-factory] Security or Convenience? Defining a better policy
- From: Marguerite Su <i@xxxxxxxxxxxxx>
- Date: Tue, 22 May 2012 22:34:51 +0800
- Message-id: <CAK0PdA=QFV0tTjg4aws2P8GdoQd7TDrvWgDPC2gsbbeNUUdnug@mail.gmail.com>
On Tue, May 22, 2012 at 10:00 PM, Bryen M Yunashko <suserocks@xxxxxxxxx> wrote:
yes...easier said than done.
actually we forum moderators discussed such topic before in openSUSE
forums' hidden moderator area...and no results. (we're digging linus
at that time)
evidence shows a lot of users use openSUSE as home server.
but even home server is different from standard server environment.
someone just use its old but big hard disks to store blue-ray movies,
but others use it as a mail server...too hard to tell.
but one thing in common, if he defines his openSUSE as a "server",
even a little bit, then the standard server environment should be what
he needs...because he must know only a sys-admin can operate a server
with full permission...and he must be ready to acquire such knowledge
to "tweak". if not, it means he is explored to attacks under his own
will.
yes. it's just an extreme example...
actually the most famous openSUSE 12.1 tweak is "do not ask root
password but use it when connecting to new wifi"...not root password
to install software.
and linux malware is so few...take such risks to have a
"less-annoying" OS might be normal users want...but I don't know.
and one thing to mention is that we have automatic updates...most of
the backdoors are fixed in such updates...
oh I've heard an example before. the example of Mr oldcpu.
he lives in Germany, his mama lives in Canada, he went back home 4 years a time.
so his mama is using openSUSE 11.3 which receives no updates for now.
so it means no matter how secure a system is for now...it'll not as
secure later.
and no matter how many tweaks a help hand did, one day you have to do
it yourself or explore youself to outside attack.
that's why I have the idea to have different level "tweak" package(s)
to make that work easy.
marguerite
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx
On Tue, 2012-05-22 at 21:40 +0800, Marguerite Su wrote:
Hi, Andreas,I think this is easier said than done. While we have evidence that
personally I think we'd better separate standard Linux server
environment from single-user home desktop environment. they're
totally different....and desktop users are growing in recent years in
our forums(openSUSE is almost the only usable distro for home use)
there are a lot of single-user desktop machines, it is less clear how
many of them still use server functionality in the background. And a
number of people *do* do this for testing purposes, or a makeshift home
server, etc.
So the challenge, if we wanted to address different usages, would be to
create security levels for 1) Servers, 2) Mixed Server/Desktop and 3)
Desktop for Single users (I guess a 4th one for multi-user desktop.)
yes...easier said than done.
actually we forum moderators discussed such topic before in openSUSE
forums' hidden moderator area...and no results. (we're digging linus
at that time)
evidence shows a lot of users use openSUSE as home server.
but even home server is different from standard server environment.
someone just use its old but big hard disks to store blue-ray movies,
but others use it as a mail server...too hard to tell.
but one thing in common, if he defines his openSUSE as a "server",
even a little bit, then the standard server environment should be what
he needs...because he must know only a sys-admin can operate a server
with full permission...and he must be ready to acquire such knowledge
to "tweak". if not, it means he is explored to attacks under his own
will.
eg: I would like YaST2 never ask me root password to install software,I agree that some basic functionalities shouldn't require passwords.
since it's my laptop and no one else can use it...but it'll surely be
banned in a security expert's eyes, and I don't know how to adjust it
for myself
Obvious are adding wifi networks or printer connections. However, I
still greatly appreciate requiring a password even on my own machine for
software installations. If anything, it becomes a gentle reminder to me
that I must exercise my abilities with caution.
Also, unpassworded-software installation, in my opinion, exposes us to
greater risks. Some malware out there can do a background installation
without your awareness, and without password protection, we've made it
much easier for those miscreants. The moment we remove this level of
protection, we increase the invitation for malware creators to target
openSUSE installations.
yes. it's just an extreme example...
actually the most famous openSUSE 12.1 tweak is "do not ask root
password but use it when connecting to new wifi"...not root password
to install software.
and linux malware is so few...take such risks to have a
"less-annoying" OS might be normal users want...but I don't know.
and one thing to mention is that we have automatic updates...most of
the backdoors are fixed in such updates...
(no flame war like Linus did, of course I defend and vote for
openSUSE, but one comment in it is good for me: it's easier for
security persons to enable it than grandma to disable it)
This poses another question. Did grandma install openSUSE herself or
did someone else do it for her? Both scenarios have different security
implications. (Think in terms of "a little knowledge can be a dangerous
thing.") :-)
oh I've heard an example before. the example of Mr oldcpu.
he lives in Germany, his mama lives in Canada, he went back home 4 years a time.
so his mama is using openSUSE 11.3 which receives no updates for now.
so it means no matter how secure a system is for now...it'll not as
secure later.
and no matter how many tweaks a help hand did, one day you have to do
it yourself or explore youself to outside attack.
that's why I have the idea to have different level "tweak" package(s)
to make that work easy.
Bryen M Yunashko
so mix them up may generate no balanced results and may trigger
another flame war in our forums...
I hope we may/can have a package called polkit-default-home-use or
something to fulfill that kind of needs....of course too hurry for
12.2, may be later
Greetings
Marguerite
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx
marguerite
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx
| < Previous | Next > |