-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-22 15:47, Andreas Jaeger wrote:

But what should be the default - and what other options should we have?

The install should put a window early, asking questions about what the machine is going to be used for. Corporate use, home, laptop, desktop, secured, allow user to configure things or not... - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+7m8sACgkQIvFNjefEBxpVYwCggsylDPlg6jIPfFpW71gsT7Ry X8gAnAwB2HPPPfwWa09ILcSNxA6bLCHL =hQYK -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-22 16:04, Bryen M Yunashko wrote:

Otherwise, without that extensive documentation, I don't think implementing levels is a good idea if no one understands what it means at each level.

It doesn't need to be levels, it can be choices. For example, for a laptop you would install things like laptop-tools. For corporate use, perhaps security can be hardened. Or, ask directly if printers can be installed by user (tick), wifi connected by user (tick), etc. What should not be done is choose one selection from "up". - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+73BIACgkQIvFNjefEBxrqjACeMy3jZS05smZd/80jFAX0KXtf atAAoKC2LH2mtQdLmbby0Sc5IKEZqOAL =s2MB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On Tue, May 22, 2012 at 9:47 PM, Andreas Jaeger wrote:

On Tuesday, May 22, 2012 15:40:44 Marguerite Su wrote:

...

Hi, Andreas,

personally I think we'd better separate standard Linux server environment from single-user  home desktop environment. they're totally different....and desktop users are growing in recent years in our forums(openSUSE is almost the only usable distro for home use)

But what should be the default - and what other options should we have?

For openSUSE, the main usage szenario is desktop. But I hear we have many single user machines but also those with a separate admin...

of course standard linux server enviroment...we're in linux world, aha... home users can install that package to fulfill his needs and take the risks himself. (like installing non-oss packages, there'll be a pop-up warning) at least at that time we have a standard way for such needs...nowadays those non-security experts have to tweak one by one...really hard and may break the whole system... marguerite

...

eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself

(no flame war like Linus did, of course I defend and vote for openSUSE, but one comment in it is good for me: it's easier for security persons to enable it than grandma to disable it)

so mix them up may generate no balanced results and may trigger another flame war in our forums...

I hope we may/can have a package called polkit-default-home-use or something to fulfill that kind of needs....of course too hurry for 12.2, may be later

Andreas --  Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi  SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany   GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg)    GPG fingerprint = 93A3 365E CE47 B889 DF7F  FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On Tue, 2012-05-22 at 21:40 +0800, Marguerite Su wrote:

Hi, Andreas,

personally I think we'd better separate standard Linux server environment from single-user home desktop environment. they're totally different....and desktop users are growing in recent years in our forums(openSUSE is almost the only usable distro for home use)

I think this is easier said than done. While we have evidence that there are a lot of single-user desktop machines, it is less clear how many of them still use server functionality in the background. And a number of people *do* do this for testing purposes, or a makeshift home server, etc. So the challenge, if we wanted to address different usages, would be to create security levels for 1) Servers, 2) Mixed Server/Desktop and 3) Desktop for Single users (I guess a 4th one for multi-user desktop.)

eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself

I agree that some basic functionalities shouldn't require passwords. Obvious are adding wifi networks or printer connections. However, I still greatly appreciate requiring a password even on my own machine for software installations. If anything, it becomes a gentle reminder to me that I must exercise my abilities with caution. Also, unpassworded-software installation, in my opinion, exposes us to greater risks. Some malware out there can do a background installation without your awareness, and without password protection, we've made it much easier for those miscreants. The moment we remove this level of protection, we increase the invitation for malware creators to target openSUSE installations.

(no flame war like Linus did, of course I defend and vote for openSUSE, but one comment in it is good for me: it's easier for security persons to enable it than grandma to disable it)

This poses another question. Did grandma install openSUSE herself or did someone else do it for her? Both scenarios have different security implications. (Think in terms of "a little knowledge can be a dangerous thing.") :-) Bryen M Yunashko

so mix them up may generate no balanced results and may trigger another flame war in our forums...

I hope we may/can have a package called polkit-default-home-use or something to fulfill that kind of needs....of course too hurry for 12.2, may be later

Greetings

Marguerite

-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On Tue, 2012-05-22 at 22:34 +0800, Marguerite Su wrote:

On Tue, May 22, 2012 at 10:00 PM, Bryen M Yunashko wrote:

...

On Tue, 2012-05-22 at 21:40 +0800, Marguerite Su wrote:

...

Hi, Andreas,

personally I think we'd better separate standard Linux server environment from single-user home desktop environment. they're totally different....and desktop users are growing in recent years in our forums(openSUSE is almost the only usable distro for home use)

I think this is easier said than done. While we have evidence that there are a lot of single-user desktop machines, it is less clear how many of them still use server functionality in the background. And a number of people *do* do this for testing purposes, or a makeshift home server, etc.

So the challenge, if we wanted to address different usages, would be to create security levels for 1) Servers, 2) Mixed Server/Desktop and 3) Desktop for Single users (I guess a 4th one for multi-user desktop.)

yes...easier said than done.

actually we forum moderators discussed such topic before in openSUSE forums' hidden moderator area...and no results. (we're digging linus at that time)

evidence shows a lot of users use openSUSE as home server.

but even home server is different from standard server environment. someone just use its old but big hard disks to store blue-ray movies, but others use it as a mail server...too hard to tell.

but one thing in common, if he defines his openSUSE as a "server", even a little bit, then the standard server environment should be what he needs...because he must know only a sys-admin can operate a server with full permission...and he must be ready to acquire such knowledge to "tweak". if not, it means he is explored to attacks under his own will.

But we're still thinking in terms of "at installation time." I can see easily someone setting up a desktop and then a month or two later say Hmm, let's add some server functionality. A simple website I can tell my friends to connect to. So security levels need to be easily modified during use, and not just during installation.

...

...

eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself

I agree that some basic functionalities shouldn't require passwords. Obvious are adding wifi networks or printer connections. However, I still greatly appreciate requiring a password even on my own machine for software installations. If anything, it becomes a gentle reminder to me that I must exercise my abilities with caution.

Also, unpassworded-software installation, in my opinion, exposes us to greater risks. Some malware out there can do a background installation without your awareness, and without password protection, we've made it much easier for those miscreants. The moment we remove this level of protection, we increase the invitation for malware creators to target openSUSE installations.

yes. it's just an extreme example...

actually the most famous openSUSE 12.1 tweak is "do not ask root password but use it when connecting to new wifi"...not root password to install software.

and linux malware is so few...take such risks to have a "less-annoying" OS might be normal users want...but I don't know.

Part of reason it is so few is because of inherent security. Take away some security and you invite malware makers to make more now that they know where the risks are.

and one thing to mention is that we have automatic updates...most of the backdoors are fixed in such updates...

Updates are for software you already have installed. In theory, this is approved and we're comfortable with them. So automatic updates to existing software from known repositories is fine. But new software that may not even come from a known repository is the risk. Someone clicks on some foo.rpm on a website and boom... problem. Furthermore, that installation might not get fixed by any openSUSE updates.

...

...

(no flame war like Linus did, of course I defend and vote for openSUSE, but one comment in it is good for me: it's easier for security persons to enable it than grandma to disable it)

This poses another question. Did grandma install openSUSE herself or did someone else do it for her? Both scenarios have different security implications. (Think in terms of "a little knowledge can be a dangerous thing.") :-)

oh I've heard an example before. the example of Mr oldcpu.

he lives in Germany, his mama lives in Canada, he went back home 4 years a time.

so his mama is using openSUSE 11.3 which receives no updates for now.

so it means no matter how secure a system is for now...it'll not as secure later.

and no matter how many tweaks a help hand did, one day you have to do it yourself or explore youself to outside attack.

that's why I have the idea to have different level "tweak" package(s) to make that work easy.

Sure. I think providing levels is a good idea. But as I said earlier, ultimately it depends on the complexity of development as well as we cannot implement levels without some very good detailed documentation. This is CARDINAL in my opinion or we'll have a huge mess down the road. Bryen

...

Bryen M Yunashko

...

so mix them up may generate no balanced results and may trigger another flame war in our forums...

I hope we may/can have a package called polkit-default-home-use or something to fulfill that kind of needs....of course too hurry for 12.2, may be later

Greetings

Marguerite

-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

marguerite

-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-22 18:43, Claudio Freire wrote:

As sudo asks *your* password, those tools that handle wifi, printers and such should also ask the user's password, and check whether the user has permission to administer wifi, printers, and such.

Hummmm. Actually, on most systems sudo asks root's password, because nobody configures sudo; and many documentations tell novices to do "sudo something" which will work because it is in the default, unconfigured state.

Also, installing software from configured repos is not the same, security-wise, to installing software from source or from untrusted repos.

It is no so simple to differentiate. And even with software from the oss repo you can break an installation, like forcing install sendmail when postfix is already running well. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+73ooACgkQIvFNjefEBxqyawCeMZID9LeWi4M25xx4Xk7bnxeJ uBsAmgIabtWLzJtuYp6EzN6IkqsHxNUp =SJHn -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On Tue, May 22, 2012 at 01:43:04PM -0300, Claudio Freire wrote:

On Tue, May 22, 2012 at 11:00 AM, Bryen M Yunashko wrote:

...

...

eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself

I agree that some basic functionalities shouldn't require passwords. Obvious are adding wifi networks or printer connections.   However, I still greatly appreciate requiring a password even on my own machine for software installations.  If anything, it becomes a gentle reminder to me that I must exercise my abilities with caution.

But that's the point: "require passwords" doesn't mean "require root password".

As sudo asks *your* password, those tools that handle wifi, printers and such should also ask the user's password, and check whether the user has permission to administer wifi, printers, and such.

We have sudo. Can't sudo be used for this? I imagine not because it's a dbus issue. But then, dbus should be extended to support sudo-like handling of permissions.

No, these days everything talks over dbus and requests permissions via policykit.

Also, installing software from configured repos is not the same, security-wise, to installing software from source or from untrusted repos.

Of course. Installing software from known repositories can also be split in two different things: - install software by name - install software by name-version-release the latter could be used to downgrade packages and make them unsecure, so it should be different usecases. ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On Tue, May 22, 2012 at 10:27 PM, Ralf Lang wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

...

personally I think we'd better separate standard Linux server environment from single-user  home desktop environment. they're totally different....and desktop users are growing in recent years in our forums(openSUSE is almost the only usable distro for home use)

Apart from Gentoo, Ubuntu and all their derivatives, yes.

.< (lol)

...

eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself

Do you want this for user #1 or for any arbitrary "guest" type account? I don't want guests accounts to install software on MY system. That's why. But it should ask for your #rootable user# password, not for root password.

no. so I guess...guest account or account registration could be disabled? actually no desktop users even use Windows Guest account, forever...

...

(no flame war like Linus did, of course I defend and vote for openSUSE, but one comment in it is good for me: it's easier for security persons to enable it than grandma to disable it)

It's for grandma's pc where I want security over features. She isn't going to install software anyway. But I have to drive 200 Miles if something is broken with her "let's exchange recipes over facebook" use case just because guests or aggressive software installed obtrusive new features (or worse).

...lol. it's just someone else's comment on linus's G+...seems grandma is not a good example...everyone has enough such bad experiences.....I drive once...that is...1794 miles...just last year... I cited that to "prove" that we need different levels of security...not no security at all.

...

I hope we may/can have a package called polkit-default-home-use or something to fulfill that kind of needs....of course too hurry for 12.2, may be later

Yes, I like that. But mine would probably be different from yours.

yes. definitely... but by separating server from desktop...we can discuss out a common settings...like tweak the most hard and common parts for the users...not the as secure as one can in server environment...

- -- Ralf Lang Linux Consultant / Developer Tel.: +49-170-6381563 Mail: lang@b1-systems.de

B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+7olUACgkQCs1dsHJ/X7ChAQCePoaRcIXwWoEdEMOKSXxjEARL ni4AmQFLW0KydL1UFZpZULiqnDDUePo3 =Sjz1 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On Tue, May 22, 2012 at 11:07 PM, Ralf Lang wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Your quoting seems off, sorry. I try to figure where to answer.

Am 22.05.2012 17:02, schrieb Marguerite Su:

...

On Tue, May 22, 2012 at 10:27 PM, Ralf Lang wrote:

...

...

...

personally I think we'd better separate standard Linux server environment from single-user  home desktop environment. they're totally different....and desktop users are growing in recent years in our forums(openSUSE is almost the only usable distro for home use)

Apart from Gentoo, Ubuntu and all their derivatives, yes.

.< (lol)

...

...

...

eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself

Do you want this for user #1 or for any arbitrary "guest" type account? I don't want guests accounts to install software on MY system. That's why. But it should ask for your #rootable user# password, not for root password.

...

no. so I guess...guest account or account registration could be disabled?

...

actually no desktop users even use Windows Guest account, forever...

Wrong. It might be very uncommon outside the range of windows users I know but the typical windows notebook I see has two or three local accounts and another USED guest account. Let's talk about family computers, student computers, couple cases...

...yes. some students'/staff's computers can't even install software...actually.. family computers is a good example...but seems linux can't adjust security level per account? especially some actions requires root password....

...

...

...

...

(no flame war like Linus did, of course I defend and vote for openSUSE, but one comment in it is good for me: it's easier for security persons to enable it than grandma to disable it)

It's for grandma's pc where I want security over features. She isn't going to install software anyway. But I have to drive 200 Miles if something is broken with her "let's exchange recipes over facebook" use case just because guests or aggressive software installed obtrusive new features (or worse).

...

...lol. it's just someone else's comment on linus's G+...seems grandma is not a good example...everyone has enough such bad experiences.....I drive once...that is...1794 miles...just last year...

I don't care who said it. The case remains the same. Let's talk about cases, not about Linus or you personally. I'd rather have too much security for grandma than too many features.

...

...

I cited that to "prove" that we need different levels of security...not no security at all.

Let's have a yast module and an install option, not some mysterious rpm.

totally agreed.

- -- Ralf Lang Linux Consultant / Developer Tel.: +49-170-6381563 Mail: lang@b1-systems.de

B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+7q7sACgkQCs1dsHJ/X7CtQQCgiCu7lxkvwgZb+WxZBqoVmQfa Vt8AoIPjagd9JkTa6/yAcgtI3FPQlyKO =5+1r -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-22 17:07, Ralf Lang wrote:

Let's have a yast module and an install option, not some mysterious rpm.

Which is similar to my proposal. I like this one. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+74R0ACgkQIvFNjefEBxpLwgCdH0v8wbTQjyJBJc2BucFA0K7g EHMAoKsCEIJh/5npAIgNYipBkHqp4cW5 =NwIL -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On Wed, May 23, 2012 at 6:05 PM, Johannes Meixner wrote:

Hello,

On May 22 21:40 Marguerite Su wrote (excerpt):

...

I would like YaST2 never ask me root password to install software, since it's my laptop

Can you provide some background information why you like to have this.

I wonder when it is your own laptop did you perhaps install openSUSE on it and if yes, then you would know the root password and could provide it to YaST.

oh, yes, I have root password. and I could provide it to YaST. but: http://forums.opensuse.org/english/get-technical-help-here/applications/4728... see this page. last few comments. kdesu has a design fault. for some thinkpad users like me, it doesn't notice you that you need to swipe your finger to give root permission. (you can't just input root password and click okay) so many users just wait the finger session expires and actually I don't know exactly when I should swipe my finger. that's a lot of time wasted. so everytime it reminds me if I can install software without password, just like launching software....it sounds good and smooth. to gain that experience I would like to expose myself outside (actually not possible behind I have a router in my home network) but as I said, it'll surely be banned in the name of security. that's why I said we may need another set of security settings. although it may varies among users, but still need some kind of such mechanism apart from as secure as one can. so in my case, the situation is: I have passwords, but I don't want to give it every time. but it's not common case. so let's continue others discussed like "which ones we could give to users, which ones not" instead of "should give or not". hope it helps marguerite

Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On 05/22/2012 02:53 PM, Carlos E. R. wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 2012-05-22 19:52, Robert Schweikert wrote:

...

I could imagine something like the attached sketch should suffice.

One detail. A plain user in Linux can adjust his time zone. Any user can do that, and has always been so, by design. It is gnome 3 which has broken this rule, by using the same dialog to change time _and_ time zone simultaneously. Changing the time has always required root password.

It is a bug in gonme 3. Take the "adjust time zone" out of your sketch, please.

Following this thread and reading this response I must wonder if anyone has looked at the wiki page. -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On Tuesday, May 22, 2012 19:52:33 Robert Schweikert wrote:

On 05/22/2012 08:48 AM, Andreas Jaeger wrote:

...

I just put the following on my blog as well (http://jaegerandi.blogspot.de)

...

and look forward to your help defining a better policy: [snip]

...

Call for action: Review and discuss http://en.opensuse.org/openSUSE:Security_use_cases using the following questions: * Are there any use cases missing?

IMHO the list appears pretty complete.

Maybe "Insert CD/DVD" for music/movie playing use case could be added to the page. But this is handled automatically by the DEs thus it may be mentioned for "completeness" or just be left off the list.

Go ahead and add it to the wiki, please.

...

* Is there any thing missing in the specific use cases?

I think we could have a "severity" rating for the "system wide action" assessments. For example "adding a repo" has a high severity value, lets say 5 (scale 0 - 5) while "updating installed packages from trusted repo" would have a low severity rating, maybe 1. This might provide a guideline to help us decide whether we want the root password or not.

...

* How can we solve these use cases so that a system is easy to setup

for the most common usage scenarios?

I think we could have a "simple" YaST dialog that lets the sysadmin configure settings to her/his needs/liking. I could imagine something like the attached sketch should suffice.

This is flexible, easily expandable, and implementation shouldn't be too terribly time consuming. The underlying assumption is that all processes affected support policy kit. The result is that the dialog simply writes out policy kit rules.

Yes, something like that should work for the IMO 10% of esoteric use case. The question remains: How to setup the system by default? What questions should be asked? Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On 05/23/2012 08:29 AM, Andreas Jaeger wrote:

On Tuesday, May 22, 2012 19:52:33 Robert Schweikert wrote:

...

On 05/22/2012 08:48 AM, Andreas Jaeger wrote:

...

I just put the following on my blog as well (http://jaegerandi.blogspot.de)

...

and look forward to your help defining a better policy: [snip]

...

Call for action: Review and discuss http://en.opensuse.org/openSUSE:Security_use_cases using the following questions: * Are there any use cases missing?

IMHO the list appears pretty complete.

Maybe "Insert CD/DVD" for music/movie playing use case could be added to the page. But this is handled automatically by the DEs thus it may be mentioned for "completeness" or just be left off the list.

Go ahead and add it to the wiki, please.

Done

...

...

* Is there any thing missing in the specific use cases?

I think we could have a "severity" rating for the "system wide action" assessments. For example "adding a repo" has a high severity value, lets say 5 (scale 0 - 5) while "updating installed packages from trusted repo" would have a low severity rating, maybe 1. This might provide a guideline to help us decide whether we want the root password or not.

...

* How can we solve these use cases so that a system is easy to setup

for the most common usage scenarios?

I think we could have a "simple" YaST dialog that lets the sysadmin configure settings to her/his needs/liking. I could imagine something like the attached sketch should suffice.

This is flexible, easily expandable, and implementation shouldn't be too terribly time consuming. The underlying assumption is that all processes affected support policy kit. The result is that the dialog simply writes out policy kit rules.

Yes, something like that should work for the IMO 10% of esoteric use case.

The question remains: How to setup the system by default?

I am not certain we need to change the defaults (other than the really obvious network thingy ;) ). I think we need to provide the administrator of the system with an easy way to hand out permissions on a per system per user basis as she/he sees fit and feels comfortable with.

What questions should be asked?

None, that's the idea behind the point and click approach of the dialog. If we ask general questions such as "is this is single user laptop" and we shape our setting based on answers to these types of questions we will get it "wrong". People are not going to like our decisions and will moan/groan/complain. Having a dialog where we can simply add a new entry if we missed something should be relatively straight forward. It also provides admins the opportunity to set things up as they see fit in a rather obvious way, rather han having to figure out "what does openSUSE doe when I answer yes to question X". The new dialog could be shown at the end of the configuration process during the install, and can be accessed from YaST any time. Later, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On Tue, May 22, 2012 at 08:42:27PM +0200, Sven Burmeister wrote:

Am Dienstag, 22. Mai 2012, 14:48:12 schrieb Andreas Jaeger:

...

Call for action: Review and discuss http://en.opensuse.org/openSUSE:Security_use_cases using the following questions: * Are there any use cases missing?

Users who buy an external hard drive/usb stick which is pre-formatted with e.g. fat32 but they want to format/re-partition it to fit their Linux needs.

Currently they need root privileges, have to know how to open YaST, which module to use for formatting and after that they have to know that they still cannot use it because the disk belongs to root and one would have to change the file permissions. Yet changing the file permissions is not part of the formatting tool…

With other OSs making an external hard drive usable is a lot easier.

How often would this usecase happen do you think? Are these just us geeks doing the fs switch to UNIX filesystems? Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Am 23.05.2012 15:24, schrieb Marcus Meissner:

On Tue, May 22, 2012 at 08:42:27PM +0200, Sven Burmeister wrote:

...

Users who buy an external hard drive/usb stick which is pre-formatted with e.g. fat32 but they want to format/re-partition it to fit their Linux needs.

Currently they need root privileges, have to know how to open YaST, which module to use for formatting and after that they have to know that they still cannot use it because the disk belongs to root and one would have to change the file permissions. Yet changing the file permissions is not part of the formatting tool…

With other OSs making an external hard drive usable is a lot easier.

How often would this usecase happen do you think?

Are these just us geeks doing the fs switch to UNIX filesystems?

I often reformat external media to fat32 or ntfs. It is not only for switching to UNIX fs. -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-23 19:03, Mariusz Fik wrote:

Dnia środa, 23 maja 2012 17:00:07 Stefan Seyfried pisze:

...

I often reformat external media to fat32 or ntfs. It is not only for switching to UNIX fs.

After copying openSUSE iso to pendrive and after install, we need to "recover" pendrive. So creating fs on external drivers (at least pendrives) should be done without root privileges.

Well, you needed to be root to create the pendrive and use it and install it, so why not to erase it? - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+9MeYACgkQIvFNjefEBxqZKACgisOsXc94uvtPqFqBom3fIxvd HVUAnRVfu0Di4edc8fmCkhIGnPwdCvZh =tOBC -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-23 23:08, Mariusz Fik wrote:

Dnia środa, 23 maja 2012 20:52:22 Carlos E. R. pisze:

...

Well, you needed to be root to create the pendrive and use it and install it, so why not to erase it?

Is it really necessary to obtain root access to put iso → pendrive?

Yes, you need to use "dd if=file of=/dev/something". If you use something else, you still need writing to the device. However, in Windows I think you might be able to do it, I don't remember. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+9nP4ACgkQIvFNjefEBxpSTACfWxI0/VzKSQ48tKN64ixkP69D VdwAnjeGyBNl7RJ/DaojeTK3SGVWsYL6 =5pmd -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On 05/24/2012 03:56 AM, Andreas Jaeger wrote:

On Thursday, May 24, 2012 04:29:18 Carlos E. R. wrote:

...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 2012-05-23 23:08, Mariusz Fik wrote:

...

Dnia środa, 23 maja 2012 20:52:22 Carlos E. R. pisze:

...

Well, you needed to be root to create the pendrive and use it and install it, so why not to erase it?

Is it really necessary to obtain root access to put iso → pendrive?

Yes, you need to use "dd if=file of=/dev/something". If you use something else, you still need writing to the device. However, in Windows I think you might be able to do it, I don't remember.

Let's add it to the list in the wiki, it's a good use case. Could somebody do so, please?

Added

Andreas

-- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Am 24.05.2012 04:48, schrieb Greg Freemyer:

I know windows admins at a minimum reformat external media routinely.

I also do this, even with Unix fs. Reasons: * external media often gets surprise-removed. Journaling fs might be fine, but I'd not bet that the file system does not start to "bit-rot". I have definitely seen this with reiserfs in the past. * "rm -rf /media/foo/*" is often much slower than "mkfs.xfs /dev/sdb1" so if I'm going to erase everything anyway, I can also mkfs. * file system block allocation patterns might degrade over time. Doing mkfs really starts from scratch * depending on what was on the disk, I need to dd /dev/urandom onto it, so a mkfs is needed afterwards. ...but that's surely offtopic now, so let's stop it here :-) (yes, i know that urandom -> disk is not enough in general, but it is usually enough for my use cases) Best regards, Stefan -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-24 04:48, Greg Freemyer wrote:

I know windows admins at a minimum reformat external media routinely.

Because it is faster and also kills viruses. Plus it can also include media checking, in which case it is much slower. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+98EoACgkQIvFNjefEBxoOogCgjZAdgGBQTWSpMxBJbdKE9dpI TcgAoLMeoE6RmFv+zR+d7IGEU15x4NcA =uWsY -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Am 23.05.2012 23:52, schrieb Joachim Schrod:

Therefore: I see the need for the functionality, but I don't see how it should be presented to non-geek end users.

There is a disk utility for GNOME whose name I forgot (it was exceptionally silly because it has nothing to do with disks or formatting or anything that one would connect with this task) which got this nicely done. IIRC it does present the available disks. It has a button for "format", then asks how to format it. *And it explains the selections in a non-geek comprehensible way*. Apart from the name, it is very nicely done. -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

palimpsest if you call it from the command line, Disks if you call it from the menu :-) there is something for kde too... quick-usbdisk-formatter http://kde-apps.org/content/show.php/?content=137493

Alin -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On Wednesday, May 23, 2012 01:16:29 Claudio Freire wrote:

On Tue, May 22, 2012 at 9:48 AM, Andreas Jaeger wrote:

...

* Are there any use cases missing? * Is there any thing missing in the specific use cases?

From personal experience, handling of external storage[0] in multiuser (and I mean multiple concurrent sessions) desktops is very poorly handled.

It's probably more a bug than anything else, but I thought I'd mention since the wiki shows it as "OK" when it still could use some love.

What exactly is the problem? Please describe in more detail.

GPU for calculation, for another item, is a very tricky business. GPU threading is very coarse, especially on not-so-high-end hardware, so while ACL management and all that is possible, isolation between GPU-enabled users would not be so easy. User with access to the GPU would be able to deny use of the resource to other users simply by running misbehaving code without any extra privileges.

Exactly, GPU-enablement can only be for one user at a time.

It's also quite easy to leak out sensitive information (ie: even passwords) by inspecting uninitialized video memory, since drivers tend not to clear buffers on (de)allocation, so previous video content is easily visible in newly created buffers. This would be a serious security issue if *any* user were to be given access to the GPU in concurrency with any other user.

Network access, also, needs some consideration for VPNs, which are rather common both in single-user laptops and enterprise environments.

I consider that handled via NetworkManager for the single-user laptop, Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Claudio Freire wrote:

On Wed, May 23, 2012 at 4:05 AM, Andreas Jaeger wrote:

...

On Wednesday, May 23, 2012 01:16:29 Claudio Freire wrote:

...

From personal experience, handling of external storage[0] in multiuser (and I mean multiple concurrent sessions) desktops is very poorly handled.

It's probably more a bug than anything else, but I thought I'd mention since the wiki shows it as "OK" when it still could use some love.

What exactly is the problem? Please describe in more detail.

From memory: * when an USB drive is inserted into a multi-session desktop, a popup will appear for all users. It should only appear to the active user - though I'm not sure there's an easy fix for that.

And it is even possible to have multiple active users .... (multi-seat machine). -- Per Jessen, Zürich (16.2°C) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On Wednesday, May 23, 2012 14:42:18 Claudio Freire wrote:

On Wed, May 23, 2012 at 4:05 AM, Andreas Jaeger wrote:

...

On Wednesday, May 23, 2012 01:16:29 Claudio Freire wrote:

...

From personal experience, handling of external storage[0] in multiuser (and I mean multiple concurrent sessions) desktops is very poorly handled.

It's probably more a bug than anything else, but I thought I'd mention since the wiki shows it as "OK" when it still could use some love.> What exactly is the problem? Please describe in more detail.

From memory: * when an USB drive is inserted into a multi-session desktop, a popup will appear for all users. It should only appear to the active user - though I'm not sure there's an easy fix for that. * when a user mounts a drive, other users may be able to read that drive, but not write or unmount it. It's not *wrong* per-se, but it confounds and annoys newbies a great deal. * when a user logs out without unmounting the drive, it remains permanently mounted. Other users cannot unmount it, except with root privileges from the cli. Again, not-for-newbies(tm).

I see - the multiseat setup is something we didn't have in mind when discussing. Could you enhance the wiki page a bit for that, please?

...

...

It's also quite easy to leak out sensitive information (ie: even passwords) by inspecting uninitialized video memory, since drivers tend not to clear buffers on (de)allocation, so previous video content is easily visible in newly created buffers. This would be a serious security issue if *any* user were to be given access to the GPU in concurrency with any other user.

Network access, also, needs some consideration for VPNs, which are rather common both in single-user laptops and enterprise environments.> I consider that handled via NetworkManager for the single-user laptop, I'm assuming the comment applies to VPNs and not GPU leaks?

Yes, correct. I'm only talking about VPNs

I never succeeded in creating VPNs with NM. I haven't tried the latest NM versions though, it might have improved. I've sticked to vpnc-(dis)connect for a while now. Last time I tried, IIRC, it failed to create any kind of VPN without root access (whereas it works fine for wifi without root access), and the VPNs it created didn't actually work.

It worked fine for me last time I tried with openvpn but I don't remember whether I needed the root password or not, Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On Wednesday, May 23, 2012 14:14:36 Stefan Quandt wrote:

Am Dienstag, 22. Mai 2012, 14:48:12 schrieb Andreas Jaeger:

...

Call for action: Review and discuss http://en.opensuse.org/openSUSE:Security_use_cases using the following questions: * Are there any use cases missing?

Canceling print jobs.

For my experience from the last years, If a normal users tries that, he will be asked for an administrative account plus password. The fix is easy but not obvious (not feasible for average user): one has to add something like 'cups' or 'printer' to each users groups settings.

Since printing in general tends to show unexpected results for different reasons (e.g printer options learning curve, driver prefers to use color cartridges for b/w text documents, printer prints only garbage after 1st page because of broken cups backend chain), it would be very helpful if killing print jobs would work out of the box for every user.

Strange, in my environment I can cancel my own printjobs... This should indeed work. Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Hello, On May 23 14:14 Stefan Quandt wrote (excerpt):

...

* Are there any use cases missing? Canceling print jobs.

By default a user can cancel his own print jobs on his local host according to the CUPS "default" policy in /etc/cups/cupsd.conf but even more: Only FYI (of course not obvious for average users): normal_user@host $ cancel -U root queue_name-job_number See "man cancel": ------------------------------------------------------------------------ -U username Specifies the username to use when connecting to the server. ... -u username Cancels jobs owned by username. NOTES Administrators wishing to prevent unauthorized cancellation of jobs via the -u option should require authentication for Cancel-Jobs operations in cupsd.conf(5). ------------------------------------------------------------------------ Background information: As long as the IPP communication with the cupsd happens without authentication of the user name, any user can set an arbitrary user name for the IPP communication. But if the IPP communication with the cupsd requires authentication, any user must authenticate first of all which is less user-friendly but that is the only way if you cannot trust your users. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Hello, On May 23 16:02 Stefan Quandt wrote (excerpt):

...

Only FYI (of course not obvious for average users):

normal_user@host $ cancel -U root queue_name-job_number I can confim that canceling via command line as 'root' indeed just works (on localhost, without password).

But trying to cancel using the cups browser frontend (via "http://localhost:631/jobs?") I'm prompted for a username _and_ password.

There is a basic difference between command line tools and a web frontend how both can deal with user names. Off the top of my head I don't know the details but as far as I remember it is basically that a web frontend cannot know a user name (because your browser doesn't tell a web server which user runs your browser) - in contrast a command line tool knows which user it runs - so that a web frontend must ask for a user name. There are several reports/discussions/explanations on the CUPS forums (e.g. the CUPS mailing list) regarding this kind of issue. Perhaps there might be an issue that you are prompted for username and password because without authentication it would be sufficient if the CUPS web frontend only prompts for a username - but I am not an expert regarding HTTP authentication stuff. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-23 15:09, Vincent Untz wrote:

Le mercredi 23 mai 2012, à 15:01 +0200, Carlos E. R. a écrit :

You realize this was working with polkit, right? We had this properly configured to not require authentication, after considering the security implication. That means we did the work Andreas is pushing here, but only for the timezone use case.

Didn't know polkit was involved, as time zone change is something that can be done on the CLI as plain user.

(The fact that it doesn't work in GNOME 3 is really just a bug, see patch at https://bugzilla.gnome.org/show_bug.cgi?id=646185)

Yes, I know it is a bug. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+9MZ4ACgkQIvFNjefEBxo/ZQCgjn48m0M7bMYVRu2g8PDH2Ubu KxsAoIAPU62b7YSyY9CJVtjuYOoXFt2k =v4F9 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Le jeudi 24 mai 2012, à 10:01 +0200, Andreas Jaeger a écrit :

On Wednesday, May 23, 2012 15:09:11 Vincent Untz wrote:

...

Le mercredi 23 mai 2012, à 15:01 +0200, Carlos E. R. a écrit :

...

On Tuesday, 2012-05-22 at 14:48 +0200, Andreas Jaeger wrote:

...

We've collected a couple of use cases for the administration of a local system at: http://en.opensuse.org/openSUSE:Security_use_cases

For each use case we added a short security evaluation but in most cases don't give a recommendation on what to do.

I see that timezone is mentioned there, and an ellaborate solution described. However, in gnome 2 (I'm using 11.4) changing the timezone is just a single click on the clock. A SINGLE CLICK! I just change location (once several locations are defined) and done.

You realize this was working with polkit, right? We had this properly configured to not require authentication, after considering the security implication. That means we did the work Andreas is pushing here, but only for the timezone use case.

(The fact that it doesn't work in GNOME 3 is really just a bug, see patch at https://bugzilla.gnome.org/show_bug.cgi?id=646185)

And a still unfixed bug. Is this fixed for openSUSE 12.2?

Sorry, forgot to reply. Not yet fixed, but we should take my patch. Will do it. Vincent -- Les gens heureux ne sont pas pressés. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Onsdag den 23. maj 2012 17:20:24 Martin Schlander skrev:

Tirsdag den 22. maj 2012 14:48:12 Andreas Jaeger skrev:

...

Administrating a system in a secure way is always balancing the needs and requests of security, convenience and usability.

We've collected a couple of use cases for the administration of a local system at: http://en.opensuse.org/openSUSE:Security_use_cases

* Are there any use cases missing? * How can we solve these use cases so that a system is easy to setup

for the most common usage scenarios?

I think there are a number of firewall related issues of security vs. convenience. These don't directly have anything to do with permissions of course, e.g.:

1) The user wants to browse samba shares, but it's not worky unless he turns off the firewall or manually allows some services first (at least I *think* that works now).

2) The user can't figure out why he can't connect to sshd running on an openSUSE system, cuz "with Ubuntu it just works" (... cuz everything is open by default)

Don't really have any good suggestions how to solve these issues, but they're definitely costing us users and maybe someone else does. Maybe it would be possible for the firewall to provide some user feedback when it blocks stuff, they're trying to do.

Oh, I almost forgot one of our main issues of (data) security vs. convenience. The highly restrictive default permissions on NTFS, preventing normal users from writing to NTFS. People really hate us for that one. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Torsdag den 24. maj 2012 10:03:00 Andreas Jaeger skrev:

On Wednesday, May 23, 2012 17:23:38 Martin Schlander wrote:

...

Onsdag den 23. maj 2012 17:20:24 Martin Schlander skrev: Oh, I almost forgot one of our main issues of (data) security vs. convenience. The highly restrictive default permissions on NTFS, preventing normal users from writing to NTFS. People really hate us for that one.

Let's revisit this one - could you add a use case to the wiki page, please?

Done. http://en.opensuse.org/openSUSE:Security_use_cases#Writing_to_NTFS -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org