Mailinglist Archive: opensuse-factory (883 mails)
| < Previous | Next > |
Re: [opensuse-factory] Roles for security and convenience
- From: Guido Berhoerster <gber@xxxxxxxxxxxx>
- Date: Sat, 26 May 2012 12:03:12 +0200
- Message-id: <4FC0AA60.1030501@opensuse.org>
On 26.05.2012 10:16, Thomas Leineweber wrote:
That's not correct, su currently logs to syslog when you switch to another user and shells such as ksh93 provide auditing and per-user accounting facilities. Furthermore with a role account you'd disallow direct login for role accounts and restrict role assumption to users which have explicit authorization to do so.
I'm not sure how RBAC with SELinux works but e.g. in Solaris you can assign "rights profiles" (which are an aggregation of related privileges) even directly to a user instead of a role account who can then invoke commands with elevated privileges without an additional password but still with full auditing.
--
Guido Berhoerster
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx
Am 26.05.2012 01:24, schrieb Claudio Freire:
On Fri, May 25, 2012 at 8:07 PM, Hans Witvliet<suse@xxxxxxxxxxx> wrote:
b) in a large company specific roles are assigned to certain users,
Those users should only be troubled with their own pwd, and should never
have access to neither root-pwd nor root-privileges.
Dedicated accounts with their own pwd are a nightmare for an
organisation.
What do you mean with that? I can only parse that sentence to mean all
users should have the same password, which seems quite unlikely to be
what you meant as that's nonsense.
I would read it as follows:
If there is a dedicated account with it's own pwd for the administration
of a service, it is not possible to see, who did the administration
task. Nearly "everybody" could have logged in as the dedicated user,
because many persons know the pwd. That is in contrast to the
requirement, that you can find out who has done the administration
task.
That's not correct, su currently logs to syslog when you switch to another user and shells such as ksh93 provide auditing and per-user accounting facilities. Furthermore with a role account you'd disallow direct login for role accounts and restrict role assumption to users which have explicit authorization to do so.
I'm not sure how RBAC with SELinux works but e.g. in Solaris you can assign "rights profiles" (which are an aggregation of related privileges) even directly to a user instead of a role account who can then invoke commands with elevated privileges without an additional password but still with full auditing.
--
Guido Berhoerster
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx
| < Previous | Next > |