Mailinglist Archive: opensuse (1165 mails)

< Previous Next >
Re: [opensuse] Re: Should openSUSE review it's Security Policies?
  • From: Steven Hess <flamebait@xxxxxxxxx>
  • Date: Fri, 2 Mar 2012 14:24:46 -0800
  • Message-id: <CAF=LnE6eTk-LD5uzPdo2_SLO0Yr76ijgaW=+6+S1E90Ke4_06g@mail.gmail.com>
On Fri, Mar 2, 2012 at 2:20 PM, Jim Henderson <hendersj@xxxxxxxxx> wrote:
On Fri, 02 Mar 2012 23:03:27 +0100, Marcus Meissner wrote:

On Thu, Mar 01, 2012 at 04:33:29PM -0500, James Knott wrote:
Jim Henderson wrote:
As I have I said several times, it should be optional, at the dicretion
of the admin or employer.  However, that does not seem to be possible
at the moment and that's what all the fuss is about.  The developers
decided they knew better than the users about what security is required
to the point that it is currently useless in many business
environements.

The security team decided on a good standard policy.

One might argue that the security team decided on a default "secure"
policy, which might be a bit too restrictive for some people.

No other developers were found that worked on a good design that is both
usable and secure.

It's a matter of convenience - if someone wants to be less secure, the
can of course set the system up to be that way, but they bear the
consequences of it.

You can change the settings on your own machine (or your admin can).

Currently e.g. like:

- edit /etc/polkit-default-privs.local

add the lines:
org.opensuse.cupspkhelper.mechanism.printer-set-default
auth_admin_keep:auth_admin_keep:yes
org.opensuse.cupspkhelper.mechanism.printer-enable
auth_admin_keep:auth_admin_keep:yes
org.opensuse.cupspkhelper.mechanism.printer-local-edit
auth_admin_keep:auth_admin_keep:yes
org.opensuse.cupspkhelper.mechanism.printer-remote-edit
auth_admin_keep:auth_admin_keep:yes
org.opensuse.cupspkhelper.mechanism.class-edit
auth_admin_keep:auth_admin_keep:yes
org.opensuse.cupspkhelper.mechanism.server-settings
auth_admin_keep:auth_admin_keep:yes
org.opensuse.cupspkhelper.mechanism.printeraddremove
auth_admin_keep:auth_admin_keep:yes
org.opensuse.cupspkhelper.mechanism.job-edit
auth_admin_keep:auth_admin_keep:yes
org.opensuse.cupspkhelper.mechanism.job-not-owned-edit
auth_admin_keep:auth_admin_keep:yes
org.opensuse.cupspkhelper.mechanism.devices-get
auth_admin_keep:auth_admin_keep:yes
org.opensuse.cupspkhelper.mechanism.all-edit
auth_admin_keep:auth_admin_keep:yes

(the "yes" to the third argument gives the active user full rights to
all these calls.)

That's a pretty ugly way to have to modify the policy, and the values
aren't (as near as I've been able to tell) very well documented anywhere.

Jim
--
 Jim Henderson
 Please keep on-topic replies on the list so everyone benefits

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx


I would still prefer a graphical way of doing this in yast and a
security selection in the installer with a low, medium and high
security profile.

--
____________
Steven L Hess ARS KC6KGE DM05gd22
Skype user flamebait Cell 661 487 0357 (Facetime)
Google Voice 661 769 6201
openSUSE Linux 12.1
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
This Thread