Mailinglist Archive: opensuse (1483 mails)

< Previous Next >
[opensuse] Re: Should openSUSE review it's Security Policies?
  • From: Jim Henderson <hendersj@xxxxxxxxx>
  • Date: Wed, 29 Feb 2012 20:20:39 +0000 (UTC)
  • Message-id: <jim1an$8dd$1@dough.gmane.org>
On Wed, 29 Feb 2012 14:40:13 -0500, Larry Stotler wrote:

As many are aware, Linus Torvalds has started a rant about the security
policies in openSUSE for things that require the root password. From
his Google+
post(https://plus.google.com/102150693225130002912/posts/1vyfmNCYpi5),
he names these:

Time Zone changes Adding a Printer Adding a wireless network.

Now, I don't usually see the wireless issue because KNetworkmanager in
KDE3(which I use) has never asked the root password for adding a new
network.

While at 37, I've never changed timezones(I lead a boring life) I would
have to agree that having to use the root password for this would be
annoying if I needed to change it because of a flight or something.

I've worked with Linus on a hardware issue years ago, and I think we
should probably at least consider reviewing the policies if they do need
changed.

Just my 2 cents.

I would tend to agree, but at the same time, security is always a
tradeoff between convenience and security.

The underlying issue seems to me to be twofold:

1. The default policies are thought, by some, to be too restrictive.

2. PolicyKit (which seems to be what enforces these sorts of things)
doesn't appear to me to be very well documented, nor is there a good tool
for modifying the policy should one wish to go with a less restrictive
setup.

It seems like what might be reasonable here is to (a) better document
PolicyKit, (b) provide a tool for managing the policies, and (c) provide
different security profiles at installation time that let the user decide
at that point how they want to balance security and convenience.

We need to make this discussion less about Linus' comments (poorly
stated, but valid observations) and more about how we balance the
security policy/policies.

But I also understand there is a discussion going on about this on the
opensuse-security list - it may well be redundant to have a discussion
here on the -user list as well.

Jim

--
Jim Henderson
Please keep on-topic replies on the list so everyone benefits

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
References