[opensuse-factory] Security or Convenience? Defining a better policy
I just put the following on my blog as well (http://jaegerandi.blogspot.de) and look forward to your help defining a better policy: The openSUSE security concepts have been changed gradually over the years with new tools like PolicyKit, PolKit and its usage in system tools. It's time now to step back, and review what we have and want. Marcus and Ludwig from the SUSE security team and myself have discusssed over the last weeks a bit and like to open this to a broader round now to get your help defining what needs to be done. = Challenges we face = Administrating a system in a secure way is always balancing the needs and requests of security, convenience and usability. There's also the additional challenge that upstream projects often have a different view on either of these and therefore make different decisions and influencing upstream projects is quite often a difficult task. = Background = Linus Torvalds in his Google+ rant (https://plus.google.com/u/0/102150693225130002912/posts/1vyfmNCYpi5) "I first spent weeks arguing on a bugzilla that the security policy of requiring the root password for changing the timezone and adding a new wireless network was moronic and wrong. I think the wireless network thing finally did get fixed, but the timezone never did - it still asks for the admin password. And today Daniela calls me from school, because she can't add the school printer without the admin password. ... So here's a plea: if you have anything to do with security in a distro, and think that my kids (replace "my kids" with "sales people on the road" if you think your main customers are businesses) need to have the root password to access some wireless network, or to be able to print out a paper, or to change the date-and-time settings, ..." = How to continue? = We've collected a couple of use cases for the administration of a local system at: http://en.opensuse.org/openSUSE:Security_use_cases For each use case we added a short security evaluation but in most cases don't give a recommendation on what to do. Call for action: Review and discuss http://en.opensuse.org/openSUSE:Security_use_cases using the following questions: * Are there any use cases missing? * Is there any thing missing in the specific use cases? * How can we solve these use cases so that a system is easy to setup for the most common usage scenarios? Let's do the discussion on the opensuse-factory mailing list, I'll update the document with any improvements. Feel free to enhance it as well. Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, May 22, 2012 at 8:48 PM, Andreas Jaeger
I just put the following on my blog as well (http://jaegerandi.blogspot.de) and look forward to your help defining a better policy:
The openSUSE security concepts have been changed gradually over the years with new tools like PolicyKit, PolKit and its usage in system tools.
It's time now to step back, and review what we have and want.
Marcus and Ludwig from the SUSE security team and myself have discusssed over the last weeks a bit and like to open this to a broader round now to get your help defining what needs to be done.
= Challenges we face =
Administrating a system in a secure way is always balancing the needs and requests of security, convenience and usability. There's also the additional challenge that upstream projects often have a different view on either of these and therefore make different decisions and influencing upstream projects is quite often a difficult task.
= Background = Linus Torvalds in his Google+ rant (https://plus.google.com/u/0/102150693225130002912/posts/1vyfmNCYpi5)
"I first spent weeks arguing on a bugzilla that the security policy of requiring the root password for changing the timezone and adding a new wireless network was moronic and wrong.
I think the wireless network thing finally did get fixed, but the timezone never did - it still asks for the admin password.
And today Daniela calls me from school, because she can't add the school printer without the admin password.
... So here's a plea: if you have anything to do with security in a distro, and think that my kids (replace "my kids" with "sales people on the road" if you think your main customers are businesses) need to have the root password to access some wireless network, or to be able to print out a paper, or to change the date-and-time settings, ..."
= How to continue? =
We've collected a couple of use cases for the administration of a local system at: http://en.opensuse.org/openSUSE:Security_use_cases
For each use case we added a short security evaluation but in most cases don't give a recommendation on what to do.
Call for action: Review and discuss http://en.opensuse.org/openSUSE:Security_use_cases using the following questions: * Are there any use cases missing? * Is there any thing missing in the specific use cases? * How can we solve these use cases so that a system is easy to setup for the most common usage scenarios?
Let's do the discussion on the opensuse-factory mailing list, I'll update the document with any improvements. Feel free to enhance it as well.
Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, Andreas, personally I think we'd better separate standard Linux server environment from single-user home desktop environment. they're totally different....and desktop users are growing in recent years in our forums(openSUSE is almost the only usable distro for home use) eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself (no flame war like Linus did, of course I defend and vote for openSUSE, but one comment in it is good for me: it's easier for security persons to enable it than grandma to disable it) so mix them up may generate no balanced results and may trigger another flame war in our forums... I hope we may/can have a package called polkit-default-home-use or something to fulfill that kind of needs....of course too hurry for 12.2, may be later Greetings Marguerite -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tuesday, May 22, 2012 15:40:44 Marguerite Su wrote:
Hi, Andreas,
personally I think we'd better separate standard Linux server environment from single-user home desktop environment. they're totally different....and desktop users are growing in recent years in our forums(openSUSE is almost the only usable distro for home use)
But what should be the default - and what other options should we have? For openSUSE, the main usage szenario is desktop. But I hear we have many single user machines but also those with a separate admin...
eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself
(no flame war like Linus did, of course I defend and vote for openSUSE, but one comment in it is good for me: it's easier for security persons to enable it than grandma to disable it)
so mix them up may generate no balanced results and may trigger another flame war in our forums...
I hope we may/can have a package called polkit-default-home-use or something to fulfill that kind of needs....of course too hurry for 12.2, may be later
Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-22 15:47, Andreas Jaeger wrote:
But what should be the default - and what other options should we have?
The install should put a window early, asking questions about what the machine is going to be used for. Corporate use, home, laptop, desktop, secured, allow user to configure things or not... - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+7m8sACgkQIvFNjefEBxpVYwCggsylDPlg6jIPfFpW71gsT7Ry X8gAnAwB2HPPPfwWa09ILcSNxA6bLCHL =hQYK -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, 2012-05-22 at 15:59 +0200, Carlos E. R. wrote:
On 2012-05-22 15:47, Andreas Jaeger wrote:
But what should be the default - and what other options should we have?
The install should put a window early, asking questions about what the machine is going to be used for. Corporate use, home, laptop, desktop, secured, allow user to configure things or not...
That would be nice, although I wonder if that really complicates things for development of the release. I guess that's something for someone else to comment on. In any case, if such features existed, there has to be an accompanied detailed documentation that explains what each level implies as well as how to change to a different level or specific settings within each level. Otherwise, without that extensive documentation, I don't think implementing levels is a good idea if no one understands what it means at each level. Bryen M Yunashko -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-22 16:04, Bryen M Yunashko wrote:
Otherwise, without that extensive documentation, I don't think implementing levels is a good idea if no one understands what it means at each level.
It doesn't need to be levels, it can be choices. For example, for a laptop you would install things like laptop-tools. For corporate use, perhaps security can be hardened. Or, ask directly if printers can be installed by user (tick), wifi connected by user (tick), etc. What should not be done is choose one selection from "up". - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+73BIACgkQIvFNjefEBxrqjACeMy3jZS05smZd/80jFAX0KXtf atAAoKC2LH2mtQdLmbby0Sc5IKEZqOAL =s2MB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tuesday, May 22, 2012 15:59:39 Carlos E. R. wrote:
On 2012-05-22 15:47, Andreas Jaeger wrote:
But what should be the default - and what other options should we have?
The install should put a window early, asking questions about what the machine is going to be used for. Corporate use, home, laptop, desktop, secured, allow user to configure things or not...
Please flesh out the proposal and if you're happy with it, present it. My tries didn't make me happy, so I would rather see somebody else's proposal ;) Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, May 22, 2012 at 9:47 PM, Andreas Jaeger
On Tuesday, May 22, 2012 15:40:44 Marguerite Su wrote:
Hi, Andreas,
personally I think we'd better separate standard Linux server environment from single-user home desktop environment. they're totally different....and desktop users are growing in recent years in our forums(openSUSE is almost the only usable distro for home use)
But what should be the default - and what other options should we have?
For openSUSE, the main usage szenario is desktop. But I hear we have many single user machines but also those with a separate admin...
of course standard linux server enviroment...we're in linux world, aha... home users can install that package to fulfill his needs and take the risks himself. (like installing non-oss packages, there'll be a pop-up warning) at least at that time we have a standard way for such needs...nowadays those non-security experts have to tweak one by one...really hard and may break the whole system... marguerite
eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself
(no flame war like Linus did, of course I defend and vote for openSUSE, but one comment in it is good for me: it's easier for security persons to enable it than grandma to disable it)
so mix them up may generate no balanced results and may trigger another flame war in our forums...
I hope we may/can have a package called polkit-default-home-use or something to fulfill that kind of needs....of course too hurry for 12.2, may be later
Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Dienstag, 22. Mai 2012, 15:47:10 schrieb Andreas Jaeger:
But what should be the default - and what other options should we have?
For openSUSE, the main usage szenario is desktop. But I hear we have many single user machines but also those with a separate admin...
If there is an admin that admin will (given the tool) do his job and configure security to the use case's needs. Hence I would not worry about any scenario where an admin is present but rather about the administrability of the security for both, users as well as admins. That includes desktop-lockdown via kiosk-systems or to be more precise tools to do so easily. Sven -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, 2012-05-22 at 21:40 +0800, Marguerite Su wrote:
Hi, Andreas,
personally I think we'd better separate standard Linux server environment from single-user home desktop environment. they're totally different....and desktop users are growing in recent years in our forums(openSUSE is almost the only usable distro for home use)
I think this is easier said than done. While we have evidence that there are a lot of single-user desktop machines, it is less clear how many of them still use server functionality in the background. And a number of people *do* do this for testing purposes, or a makeshift home server, etc. So the challenge, if we wanted to address different usages, would be to create security levels for 1) Servers, 2) Mixed Server/Desktop and 3) Desktop for Single users (I guess a 4th one for multi-user desktop.)
eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself
I agree that some basic functionalities shouldn't require passwords. Obvious are adding wifi networks or printer connections. However, I still greatly appreciate requiring a password even on my own machine for software installations. If anything, it becomes a gentle reminder to me that I must exercise my abilities with caution. Also, unpassworded-software installation, in my opinion, exposes us to greater risks. Some malware out there can do a background installation without your awareness, and without password protection, we've made it much easier for those miscreants. The moment we remove this level of protection, we increase the invitation for malware creators to target openSUSE installations.
(no flame war like Linus did, of course I defend and vote for openSUSE, but one comment in it is good for me: it's easier for security persons to enable it than grandma to disable it)
This poses another question. Did grandma install openSUSE herself or did someone else do it for her? Both scenarios have different security implications. (Think in terms of "a little knowledge can be a dangerous thing.") :-) Bryen M Yunashko
so mix them up may generate no balanced results and may trigger another flame war in our forums...
I hope we may/can have a package called polkit-default-home-use or something to fulfill that kind of needs....of course too hurry for 12.2, may be later
Greetings
Marguerite
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, May 22, 2012 at 10:00 PM, Bryen M Yunashko
On Tue, 2012-05-22 at 21:40 +0800, Marguerite Su wrote:
Hi, Andreas,
personally I think we'd better separate standard Linux server environment from single-user home desktop environment. they're totally different....and desktop users are growing in recent years in our forums(openSUSE is almost the only usable distro for home use)
I think this is easier said than done. While we have evidence that there are a lot of single-user desktop machines, it is less clear how many of them still use server functionality in the background. And a number of people *do* do this for testing purposes, or a makeshift home server, etc.
So the challenge, if we wanted to address different usages, would be to create security levels for 1) Servers, 2) Mixed Server/Desktop and 3) Desktop for Single users (I guess a 4th one for multi-user desktop.)
yes...easier said than done. actually we forum moderators discussed such topic before in openSUSE forums' hidden moderator area...and no results. (we're digging linus at that time) evidence shows a lot of users use openSUSE as home server. but even home server is different from standard server environment. someone just use its old but big hard disks to store blue-ray movies, but others use it as a mail server...too hard to tell. but one thing in common, if he defines his openSUSE as a "server", even a little bit, then the standard server environment should be what he needs...because he must know only a sys-admin can operate a server with full permission...and he must be ready to acquire such knowledge to "tweak". if not, it means he is explored to attacks under his own will.
eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself
I agree that some basic functionalities shouldn't require passwords. Obvious are adding wifi networks or printer connections. However, I still greatly appreciate requiring a password even on my own machine for software installations. If anything, it becomes a gentle reminder to me that I must exercise my abilities with caution.
Also, unpassworded-software installation, in my opinion, exposes us to greater risks. Some malware out there can do a background installation without your awareness, and without password protection, we've made it much easier for those miscreants. The moment we remove this level of protection, we increase the invitation for malware creators to target openSUSE installations.
yes. it's just an extreme example... actually the most famous openSUSE 12.1 tweak is "do not ask root password but use it when connecting to new wifi"...not root password to install software. and linux malware is so few...take such risks to have a "less-annoying" OS might be normal users want...but I don't know. and one thing to mention is that we have automatic updates...most of the backdoors are fixed in such updates...
(no flame war like Linus did, of course I defend and vote for openSUSE, but one comment in it is good for me: it's easier for security persons to enable it than grandma to disable it)
This poses another question. Did grandma install openSUSE herself or did someone else do it for her? Both scenarios have different security implications. (Think in terms of "a little knowledge can be a dangerous thing.") :-)
oh I've heard an example before. the example of Mr oldcpu. he lives in Germany, his mama lives in Canada, he went back home 4 years a time. so his mama is using openSUSE 11.3 which receives no updates for now. so it means no matter how secure a system is for now...it'll not as secure later. and no matter how many tweaks a help hand did, one day you have to do it yourself or explore youself to outside attack. that's why I have the idea to have different level "tweak" package(s) to make that work easy.
Bryen M Yunashko
so mix them up may generate no balanced results and may trigger another flame war in our forums...
I hope we may/can have a package called polkit-default-home-use or something to fulfill that kind of needs....of course too hurry for 12.2, may be later
Greetings
Marguerite
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
marguerite -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, 2012-05-22 at 22:34 +0800, Marguerite Su wrote:
On Tue, May 22, 2012 at 10:00 PM, Bryen M Yunashko
wrote: On Tue, 2012-05-22 at 21:40 +0800, Marguerite Su wrote:
Hi, Andreas,
personally I think we'd better separate standard Linux server environment from single-user home desktop environment. they're totally different....and desktop users are growing in recent years in our forums(openSUSE is almost the only usable distro for home use)
I think this is easier said than done. While we have evidence that there are a lot of single-user desktop machines, it is less clear how many of them still use server functionality in the background. And a number of people *do* do this for testing purposes, or a makeshift home server, etc.
So the challenge, if we wanted to address different usages, would be to create security levels for 1) Servers, 2) Mixed Server/Desktop and 3) Desktop for Single users (I guess a 4th one for multi-user desktop.)
yes...easier said than done.
actually we forum moderators discussed such topic before in openSUSE forums' hidden moderator area...and no results. (we're digging linus at that time)
evidence shows a lot of users use openSUSE as home server.
but even home server is different from standard server environment. someone just use its old but big hard disks to store blue-ray movies, but others use it as a mail server...too hard to tell.
but one thing in common, if he defines his openSUSE as a "server", even a little bit, then the standard server environment should be what he needs...because he must know only a sys-admin can operate a server with full permission...and he must be ready to acquire such knowledge to "tweak". if not, it means he is explored to attacks under his own will.
But we're still thinking in terms of "at installation time." I can see easily someone setting up a desktop and then a month or two later say Hmm, let's add some server functionality. A simple website I can tell my friends to connect to. So security levels need to be easily modified during use, and not just during installation.
eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself
I agree that some basic functionalities shouldn't require passwords. Obvious are adding wifi networks or printer connections. However, I still greatly appreciate requiring a password even on my own machine for software installations. If anything, it becomes a gentle reminder to me that I must exercise my abilities with caution.
Also, unpassworded-software installation, in my opinion, exposes us to greater risks. Some malware out there can do a background installation without your awareness, and without password protection, we've made it much easier for those miscreants. The moment we remove this level of protection, we increase the invitation for malware creators to target openSUSE installations.
yes. it's just an extreme example...
actually the most famous openSUSE 12.1 tweak is "do not ask root password but use it when connecting to new wifi"...not root password to install software.
and linux malware is so few...take such risks to have a "less-annoying" OS might be normal users want...but I don't know.
Part of reason it is so few is because of inherent security. Take away some security and you invite malware makers to make more now that they know where the risks are.
and one thing to mention is that we have automatic updates...most of the backdoors are fixed in such updates...
Updates are for software you already have installed. In theory, this is approved and we're comfortable with them. So automatic updates to existing software from known repositories is fine. But new software that may not even come from a known repository is the risk. Someone clicks on some foo.rpm on a website and boom... problem. Furthermore, that installation might not get fixed by any openSUSE updates.
(no flame war like Linus did, of course I defend and vote for openSUSE, but one comment in it is good for me: it's easier for security persons to enable it than grandma to disable it)
This poses another question. Did grandma install openSUSE herself or did someone else do it for her? Both scenarios have different security implications. (Think in terms of "a little knowledge can be a dangerous thing.") :-)
oh I've heard an example before. the example of Mr oldcpu.
he lives in Germany, his mama lives in Canada, he went back home 4 years a time.
so his mama is using openSUSE 11.3 which receives no updates for now.
so it means no matter how secure a system is for now...it'll not as secure later.
and no matter how many tweaks a help hand did, one day you have to do it yourself or explore youself to outside attack.
that's why I have the idea to have different level "tweak" package(s) to make that work easy.
Sure. I think providing levels is a good idea. But as I said earlier, ultimately it depends on the complexity of development as well as we cannot implement levels without some very good detailed documentation. This is CARDINAL in my opinion or we'll have a huge mess down the road. Bryen
Bryen M Yunashko
so mix them up may generate no balanced results and may trigger another flame war in our forums...
I hope we may/can have a package called polkit-default-home-use or something to fulfill that kind of needs....of course too hurry for 12.2, may be later
Greetings
Marguerite
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
marguerite
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, May 22, 2012 at 11:00 AM, Bryen M Yunashko
eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself
I agree that some basic functionalities shouldn't require passwords. Obvious are adding wifi networks or printer connections. However, I still greatly appreciate requiring a password even on my own machine for software installations. If anything, it becomes a gentle reminder to me that I must exercise my abilities with caution.
But that's the point: "require passwords" doesn't mean "require root password". As sudo asks *your* password, those tools that handle wifi, printers and such should also ask the user's password, and check whether the user has permission to administer wifi, printers, and such. We have sudo. Can't sudo be used for this? I imagine not because it's a dbus issue. But then, dbus should be extended to support sudo-like handling of permissions. Also, installing software from configured repos is not the same, security-wise, to installing software from source or from untrusted repos. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-22 18:43, Claudio Freire wrote:
As sudo asks *your* password, those tools that handle wifi, printers and such should also ask the user's password, and check whether the user has permission to administer wifi, printers, and such.
Hummmm. Actually, on most systems sudo asks root's password, because nobody configures sudo; and many documentations tell novices to do "sudo something" which will work because it is in the default, unconfigured state.
Also, installing software from configured repos is not the same, security-wise, to installing software from source or from untrusted repos.
It is no so simple to differentiate. And even with software from the oss repo you can break an installation, like forcing install sendmail when postfix is already running well. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+73ooACgkQIvFNjefEBxqyawCeMZID9LeWi4M25xx4Xk7bnxeJ uBsAmgIabtWLzJtuYp6EzN6IkqsHxNUp =SJHn -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, May 22, 2012 at 3:44 PM, Carlos E. R.
Also, installing software from configured repos is not the same, security-wise, to installing software from source or from untrusted repos.
It is no so simple to differentiate. And even with software from the oss repo you can break an installation, like forcing install sendmail when postfix is already running well.
It doesn't have to be that hard.
Installing from configured repos = zypper up|install|etc, while
installing from other repos implies a distinctively different command
(ie: add the repo, install from rpm, one-click install, etc).
So it could easily be that "installing" is one action and "adding
repos" is another, and anything that implies access to a repo other
than the configured ones fires the "adding repos" check.
On Tue, May 22, 2012 at 3:26 PM, Sven Burmeister
With a new YaST module openSUSE is on its own and needs yet another maintainer with no hope of others contributing.
I agree, though doing it in KDE's polkit + Gnome's + whichever other frontend there has to be might be a lot more effort. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, May 22, 2012 at 01:43:04PM -0300, Claudio Freire wrote:
On Tue, May 22, 2012 at 11:00 AM, Bryen M Yunashko
wrote: eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself
I agree that some basic functionalities shouldn't require passwords. Obvious are adding wifi networks or printer connections. However, I still greatly appreciate requiring a password even on my own machine for software installations. If anything, it becomes a gentle reminder to me that I must exercise my abilities with caution.
But that's the point: "require passwords" doesn't mean "require root password".
As sudo asks *your* password, those tools that handle wifi, printers and such should also ask the user's password, and check whether the user has permission to administer wifi, printers, and such.
We have sudo. Can't sudo be used for this? I imagine not because it's a dbus issue. But then, dbus should be extended to support sudo-like handling of permissions.
No, these days everything talks over dbus and requests permissions via policykit.
Also, installing software from configured repos is not the same, security-wise, to installing software from source or from untrusted repos.
Of course. Installing software from known repositories can also be split in two different things: - install software by name - install software by name-version-release the latter could be used to downgrade packages and make them unsecure, so it should be different usecases. ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
personally I think we'd better separate standard Linux server environment from single-user home desktop environment. they're totally different....and desktop users are growing in recent years in our forums(openSUSE is almost the only usable distro for home use)
Apart from Gentoo, Ubuntu and all their derivatives, yes.
eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself
Do you want this for user #1 or for any arbitrary "guest" type account? I don't want guests accounts to install software on MY system. That's why. But it should ask for your #rootable user# password, not for root password.
(no flame war like Linus did, of course I defend and vote for openSUSE, but one comment in it is good for me: it's easier for security persons to enable it than grandma to disable it)
It's for grandma's pc where I want security over features. She isn't going to install software anyway. But I have to drive 200 Miles if something is broken with her "let's exchange recipes over facebook" use case just because guests or aggressive software installed obtrusive new features (or worse).
I hope we may/can have a package called polkit-default-home-use or something to fulfill that kind of needs....of course too hurry for 12.2, may be later
Yes, I like that. But mine would probably be different from yours. - -- Ralf Lang Linux Consultant / Developer Tel.: +49-170-6381563 Mail: lang@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+7olUACgkQCs1dsHJ/X7ChAQCePoaRcIXwWoEdEMOKSXxjEARL ni4AmQFLW0KydL1UFZpZULiqnDDUePo3 =Sjz1 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, May 22, 2012 at 10:27 PM, Ralf Lang
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
personally I think we'd better separate standard Linux server environment from single-user home desktop environment. they're totally different....and desktop users are growing in recent years in our forums(openSUSE is almost the only usable distro for home use)
Apart from Gentoo, Ubuntu and all their derivatives, yes.
.< (lol)
eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself
Do you want this for user #1 or for any arbitrary "guest" type account? I don't want guests accounts to install software on MY system. That's why. But it should ask for your #rootable user# password, not for root password.
no. so I guess...guest account or account registration could be disabled? actually no desktop users even use Windows Guest account, forever...
(no flame war like Linus did, of course I defend and vote for openSUSE, but one comment in it is good for me: it's easier for security persons to enable it than grandma to disable it)
It's for grandma's pc where I want security over features. She isn't going to install software anyway. But I have to drive 200 Miles if something is broken with her "let's exchange recipes over facebook" use case just because guests or aggressive software installed obtrusive new features (or worse).
...lol. it's just someone else's comment on linus's G+...seems grandma is not a good example...everyone has enough such bad experiences.....I drive once...that is...1794 miles...just last year... I cited that to "prove" that we need different levels of security...not no security at all.
I hope we may/can have a package called polkit-default-home-use or something to fulfill that kind of needs....of course too hurry for 12.2, may be later
Yes, I like that. But mine would probably be different from yours.
yes. definitely... but by separating server from desktop...we can discuss out a common settings...like tweak the most hard and common parts for the users...not the as secure as one can in server environment...
- -- Ralf Lang Linux Consultant / Developer Tel.: +49-170-6381563 Mail: lang@b1-systems.de
B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk+7olUACgkQCs1dsHJ/X7ChAQCePoaRcIXwWoEdEMOKSXxjEARL ni4AmQFLW0KydL1UFZpZULiqnDDUePo3 =Sjz1 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Your quoting seems off, sorry. I try to figure where to answer. Am 22.05.2012 17:02, schrieb Marguerite Su:
On Tue, May 22, 2012 at 10:27 PM, Ralf Lang
wrote: personally I think we'd better separate standard Linux server environment from single-user home desktop environment. they're totally different....and desktop users are growing in recent years in our forums(openSUSE is almost the only usable distro for home use)
Apart from Gentoo, Ubuntu and all their derivatives, yes.
.< (lol)
eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself
Do you want this for user #1 or for any arbitrary "guest" type account? I don't want guests accounts to install software on MY system. That's why. But it should ask for your #rootable user# password, not for root password.
no. so I guess...guest account or account registration could be disabled?
actually no desktop users even use Windows Guest account, forever...
Wrong. It might be very uncommon outside the range of windows users I know but the typical windows notebook I see has two or three local accounts and another USED guest account. Let's talk about family computers, student computers, couple cases...
(no flame war like Linus did, of course I defend and vote for openSUSE, but one comment in it is good for me: it's easier for security persons to enable it than grandma to disable it)
It's for grandma's pc where I want security over features. She isn't going to install software anyway. But I have to drive 200 Miles if something is broken with her "let's exchange recipes over facebook" use case just because guests or aggressive software installed obtrusive new features (or worse).
...lol. it's just someone else's comment on linus's G+...seems grandma is not a good example...everyone has enough such bad experiences.....I drive once...that is...1794 miles...just last year...
I don't care who said it. The case remains the same. Let's talk about cases, not about Linus or you personally. I'd rather have too much security for grandma than too many features.
I cited that to "prove" that we need different levels of security...not no security at all.
Let's have a yast module and an install option, not some mysterious rpm. - -- Ralf Lang Linux Consultant / Developer Tel.: +49-170-6381563 Mail: lang@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+7q7sACgkQCs1dsHJ/X7CtQQCgiCu7lxkvwgZb+WxZBqoVmQfa Vt8AoIPjagd9JkTa6/yAcgtI3FPQlyKO =5+1r -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, May 22, 2012 at 11:07 PM, Ralf Lang
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Your quoting seems off, sorry. I try to figure where to answer.
Am 22.05.2012 17:02, schrieb Marguerite Su:
On Tue, May 22, 2012 at 10:27 PM, Ralf Lang
wrote: personally I think we'd better separate standard Linux server environment from single-user home desktop environment. they're totally different....and desktop users are growing in recent years in our forums(openSUSE is almost the only usable distro for home use)
Apart from Gentoo, Ubuntu and all their derivatives, yes.
.< (lol)
eg: I would like YaST2 never ask me root password to install software, since it's my laptop and no one else can use it...but it'll surely be banned in a security expert's eyes, and I don't know how to adjust it for myself
Do you want this for user #1 or for any arbitrary "guest" type account? I don't want guests accounts to install software on MY system. That's why. But it should ask for your #rootable user# password, not for root password.
no. so I guess...guest account or account registration could be disabled?
actually no desktop users even use Windows Guest account, forever...
Wrong. It might be very uncommon outside the range of windows users I know but the typical windows notebook I see has two or three local accounts and another USED guest account. Let's talk about family computers, student computers, couple cases...
...yes. some students'/staff's computers can't even install software...actually.. family computers is a good example...but seems linux can't adjust security level per account? especially some actions requires root password....
(no flame war like Linus did, of course I defend and vote for openSUSE, but one comment in it is good for me: it's easier for security persons to enable it than grandma to disable it)
It's for grandma's pc where I want security over features. She isn't going to install software anyway. But I have to drive 200 Miles if something is broken with her "let's exchange recipes over facebook" use case just because guests or aggressive software installed obtrusive new features (or worse).
...lol. it's just someone else's comment on linus's G+...seems grandma is not a good example...everyone has enough such bad experiences.....I drive once...that is...1794 miles...just last year...
I don't care who said it. The case remains the same. Let's talk about cases, not about Linus or you personally. I'd rather have too much security for grandma than too many features.
I cited that to "prove" that we need different levels of security...not no security at all.
Let's have a yast module and an install option, not some mysterious rpm.
totally agreed.
- -- Ralf Lang Linux Consultant / Developer Tel.: +49-170-6381563 Mail: lang@b1-systems.de
B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk+7q7sACgkQCs1dsHJ/X7CtQQCgiCu7lxkvwgZb+WxZBqoVmQfa Vt8AoIPjagd9JkTa6/yAcgtI3FPQlyKO =5+1r -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Quoting still confuses me in your case.
Wrong. It might be very uncommon outside the range of windows users I know but the typical windows notebook I see has two or three local accounts and another USED guest account. Let's talk about family computers, student computers, couple cases...
...yes.
some students'/staff's computers can't even install software...actually..
family computers is a good example...but seems linux can't adjust security level per account? especially some actions requires root password....
We can. As far as I know, you can put users selectively in the wheel group (may sudo) and it is possible to request the user password for sudo actions, not the root pw.
I cited that to "prove" that we need different levels of security...not no security at all.
Let's have a yast module and an install option, not some mysterious rpm.
totally agreed.
Great. I'd even learn this python stuff to aid if somebody takes the lead. - -- Ralf Lang Linux Consultant / Developer Tel.: +49-170-6381563 Mail: lang@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+7rzEACgkQCs1dsHJ/X7D1uQCgxVULT70zeHKVX+hY8PjXKLtG uToAn2FhsVYaoJaVHbkaS3JOIrNDYK3C =1XIi -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-22 17:07, Ralf Lang wrote:
Let's have a yast module and an install option, not some mysterious rpm.
Which is similar to my proposal. I like this one. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+74R0ACgkQIvFNjefEBxpLwgCdH0v8wbTQjyJBJc2BucFA0K7g EHMAoKsCEIJh/5npAIgNYipBkHqp4cW5 =NwIL -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, On May 22 21:40 Marguerite Su wrote (excerpt):
I would like YaST2 never ask me root password to install software, since it's my laptop
Can you provide some background information why you like to have this. I wonder when it is your own laptop did you perhaps install openSUSE on it and if yes, then you would know the root password and could provide it to YaST. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, May 23, 2012 at 6:05 PM, Johannes Meixner
Hello,
On May 22 21:40 Marguerite Su wrote (excerpt):
I would like YaST2 never ask me root password to install software, since it's my laptop
Can you provide some background information why you like to have this.
I wonder when it is your own laptop did you perhaps install openSUSE on it and if yes, then you would know the root password and could provide it to YaST.
oh, yes, I have root password. and I could provide it to YaST. but: http://forums.opensuse.org/english/get-technical-help-here/applications/4728... see this page. last few comments. kdesu has a design fault. for some thinkpad users like me, it doesn't notice you that you need to swipe your finger to give root permission. (you can't just input root password and click okay) so many users just wait the finger session expires and actually I don't know exactly when I should swipe my finger. that's a lot of time wasted. so everytime it reminds me if I can install software without password, just like launching software....it sounds good and smooth. to gain that experience I would like to expose myself outside (actually not possible behind I have a router in my home network) but as I said, it'll surely be banned in the name of security. that's why I said we may need another set of security settings. although it may varies among users, but still need some kind of such mechanism apart from as secure as one can. so in my case, the situation is: I have passwords, but I don't want to give it every time. but it's not common case. so let's continue others discussed like "which ones we could give to users, which ones not" instead of "should give or not". hope it helps marguerite
Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, On May 23 21:58 Marguerite Su wrote (excerpt):
so in my case, the situation is: I have passwords, but I don't want to give it every time.
If you want to do configuration changes without a password, - you can do configuration changes by accident (prompting for a password would make you aware when something is no longer within the scope of what is considered as "usual work"), - arbitrary persons who get even short time access to your machine can do configuration changes when it is running unattended (e.g. when you forgot by accident to lock your screen), i.e. arbitrary persons could hijack your machine when it is running unattended. I am not against such a setting, I only like to point out a security consequence. If you like to do anything without providing a password, you could work as root. I mean this seriously. What would be wrong with working as root if one likes to work with unlimited permissions on one's own machine in one's own secure internal network? And for exceptional cases one could even jail root with software like AppArmor and SELinux. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 05/22/2012 08:48 AM, Andreas Jaeger wrote:
I just put the following on my blog as well (http://jaegerandi.blogspot.de) and look forward to your help defining a better policy:
[snip]
Call for action: Review and discuss http://en.opensuse.org/openSUSE:Security_use_cases using the following questions: * Are there any use cases missing?
IMHO the list appears pretty complete. Maybe "Insert CD/DVD" for music/movie playing use case could be added to the page. But this is handled automatically by the DEs thus it may be mentioned for "completeness" or just be left off the list.
* Is there any thing missing in the specific use cases?
I think we could have a "severity" rating for the "system wide action" assessments. For example "adding a repo" has a high severity value, lets say 5 (scale 0 - 5) while "updating installed packages from trusted repo" would have a low severity rating, maybe 1. This might provide a guideline to help us decide whether we want the root password or not.
* How can we solve these use cases so that a system is easy to setup for the most common usage scenarios?
I think we could have a "simple" YaST dialog that lets the sysadmin configure settings to her/his needs/liking. I could imagine something like the attached sketch should suffice. This is flexible, easily expandable, and implementation shouldn't be too terribly time consuming. The underlying assumption is that all processes affected support policy kit. The result is that the dialog simply writes out policy kit rules. Later, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-22 19:52, Robert Schweikert wrote:
I could imagine something like the attached sketch should suffice.
One detail. A plain user in Linux can adjust his time zone. Any user can do that, and has always been so, by design. It is gnome 3 which has broken this rule, by using the same dialog to change time _and_ time zone simultaneously. Changing the time has always required root password. It is a bug in gonme 3. Take the "adjust time zone" out of your sketch, please. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+74KEACgkQIvFNjefEBxrHcQCdEyEuq8AMKrBmW+KmoWRz6YVD fUEAoI6xrKqmZI0keFP1BxhO6mhBlVhx =r4jT -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 05/22/2012 02:53 PM, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-05-22 19:52, Robert Schweikert wrote:
I could imagine something like the attached sketch should suffice.
One detail. A plain user in Linux can adjust his time zone. Any user can do that, and has always been so, by design. It is gnome 3 which has broken this rule, by using the same dialog to change time _and_ time zone simultaneously. Changing the time has always required root password.
It is a bug in gonme 3. Take the "adjust time zone" out of your sketch, please.
Following this thread and reading this response I must wonder if anyone has looked at the wiki page. -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-22 22:31, Robert Schweikert wrote:
On 05/22/2012 02:53 PM, Carlos E. R. wrote:
On 2012-05-22 19:52, Robert Schweikert wrote:
I could imagine something like the attached sketch should suffice.
One detail. A plain user in Linux can adjust his time zone. Any user can do that, and has always been so, by design. It is gnome 3 which has broken this rule, by using the same dialog to change time _and_ time zone simultaneously. Changing the time has always required root password.
It is a bug in gonme 3. Take the "adjust time zone" out of your sketch, please.
Following this thread and reading this response I must wonder if anyone has looked at the wiki page.
Nothing there contradicts what I say about the time zone. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+8yQIACgkQIvFNjefEBxoGuACgneKvAgTd4MXykxIiIp5KV839 42YAn10568UUr1RyzhDSZBmPSla8tsMk =PsuO -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tuesday, May 22, 2012 19:52:33 Robert Schweikert wrote:
On 05/22/2012 08:48 AM, Andreas Jaeger wrote:
I just put the following on my blog as well (http://jaegerandi.blogspot.de)
and look forward to your help defining a better policy: [snip]
Call for action: Review and discuss http://en.opensuse.org/openSUSE:Security_use_cases using the following questions: * Are there any use cases missing?
IMHO the list appears pretty complete.
Maybe "Insert CD/DVD" for music/movie playing use case could be added to the page. But this is handled automatically by the DEs thus it may be mentioned for "completeness" or just be left off the list.
Go ahead and add it to the wiki, please.
* Is there any thing missing in the specific use cases?
I think we could have a "severity" rating for the "system wide action" assessments. For example "adding a repo" has a high severity value, lets say 5 (scale 0 - 5) while "updating installed packages from trusted repo" would have a low severity rating, maybe 1. This might provide a guideline to help us decide whether we want the root password or not.
* How can we solve these use cases so that a system is easy to setup
for the most common usage scenarios?
I think we could have a "simple" YaST dialog that lets the sysadmin configure settings to her/his needs/liking. I could imagine something like the attached sketch should suffice.
This is flexible, easily expandable, and implementation shouldn't be too terribly time consuming. The underlying assumption is that all processes affected support policy kit. The result is that the dialog simply writes out policy kit rules.
Yes, something like that should work for the IMO 10% of esoteric use case. The question remains: How to setup the system by default? What questions should be asked? Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-23 14:29, Andreas Jaeger wrote:
The question remains: How to setup the system by default? What questions should be asked?
Don't make defaults for everybody. You have to ask root what defaults he wants. And no, I don't know the proper questions to ask, sorry. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+83dYACgkQIvFNjefEBxqudQCfQI4SXCn79azFS2zACltHNpzH ajEAoLBFF4UVg91JELDcqL+a2ExuqMe5 =F6fr -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 05/23/2012 08:29 AM, Andreas Jaeger wrote:
On Tuesday, May 22, 2012 19:52:33 Robert Schweikert wrote:
On 05/22/2012 08:48 AM, Andreas Jaeger wrote:
I just put the following on my blog as well (http://jaegerandi.blogspot.de)
and look forward to your help defining a better policy: [snip]
Call for action: Review and discuss http://en.opensuse.org/openSUSE:Security_use_cases using the following questions: * Are there any use cases missing?
IMHO the list appears pretty complete.
Maybe "Insert CD/DVD" for music/movie playing use case could be added to the page. But this is handled automatically by the DEs thus it may be mentioned for "completeness" or just be left off the list.
Go ahead and add it to the wiki, please.
Done
* Is there any thing missing in the specific use cases?
I think we could have a "severity" rating for the "system wide action" assessments. For example "adding a repo" has a high severity value, lets say 5 (scale 0 - 5) while "updating installed packages from trusted repo" would have a low severity rating, maybe 1. This might provide a guideline to help us decide whether we want the root password or not.
* How can we solve these use cases so that a system is easy to setup
for the most common usage scenarios?
I think we could have a "simple" YaST dialog that lets the sysadmin configure settings to her/his needs/liking. I could imagine something like the attached sketch should suffice.
This is flexible, easily expandable, and implementation shouldn't be too terribly time consuming. The underlying assumption is that all processes affected support policy kit. The result is that the dialog simply writes out policy kit rules.
Yes, something like that should work for the IMO 10% of esoteric use case.
The question remains: How to setup the system by default?
I am not certain we need to change the defaults (other than the really obvious network thingy ;) ). I think we need to provide the administrator of the system with an easy way to hand out permissions on a per system per user basis as she/he sees fit and feels comfortable with.
What questions should be asked?
None, that's the idea behind the point and click approach of the dialog. If we ask general questions such as "is this is single user laptop" and we shape our setting based on answers to these types of questions we will get it "wrong". People are not going to like our decisions and will moan/groan/complain. Having a dialog where we can simply add a new entry if we missed something should be relatively straight forward. It also provides admins the opportunity to set things up as they see fit in a rather obvious way, rather han having to figure out "what does openSUSE doe when I answer yes to question X". The new dialog could be shown at the end of the configuration process during the install, and can be accessed from YaST any time. Later, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 23.05.2012 18:47, schrieb Robert Schweikert:
On 05/23/2012 08:29 AM, Andreas Jaeger wrote:
What questions should be asked?
None, that's the idea behind the point and click approach of the dialog. If we ask general questions such as "is this is single user laptop" and we shape our setting based on answers to these types of questions we will get it "wrong".
Having a few "presets" with the most common use cases, best accompanied with a short description is still a good idea IMHO. Maybe stuff like: * "Admin configured server": you need the root password for all changes -> basically like in good old times before polkit and friends: you'll need to "su -" and then use yast or whatever to change stuff. * "User configured laptop": you are allowed to connect to WiFi networks, connect printers and install package updates with your user account. For adding software repositories and installing additional software, you'll need the root passowrd. * "third preset": I have no idea what a third preset could be :-)
People are not going to like our decisions and will moan/groan/complain. Having a dialog where we can simply add a new entry if we missed something should be relatively straight forward. It also provides admins the opportunity to set things up as they see fit in a rather obvious way, rather han having to figure out "what does openSUSE doe when I answer yes to question X".
Presenting a summary (not just the description, but what permissions will be set) is probably not impossible.
The new dialog could be shown at the end of the configuration process during the install, and can be accessed from YaST any time.
I like that. And it should have the option of resetting the stuff to sane(?) defaults. Some time in the past I have clicked in the KDE4 polkit config thingy, without any clue what i was doing and it saved me from the wifi-trouble everybody had with 12.1. It now just works for me. I have no idea how to "reset to factory settings" this stuff, though, so such a feature would be handy :-) -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Dienstag, 22. Mai 2012, 14:48:12 schrieb Andreas Jaeger:
Call for action: Review and discuss http://en.opensuse.org/openSUSE:Security_use_cases using the following questions: * Are there any use cases missing?
Users who buy an external hard drive/usb stick which is pre-formatted with e.g. fat32 but they want to format/re-partition it to fit their Linux needs. Currently they need root privileges, have to know how to open YaST, which module to use for formatting and after that they have to know that they still cannot use it because the disk belongs to root and one would have to change the file permissions. Yet changing the file permissions is not part of the formatting tool… With other OSs making an external hard drive usable is a lot easier. Sven -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tuesday, May 22, 2012 20:42:27 Sven Burmeister wrote:
Am Dienstag, 22. Mai 2012, 14:48:12 schrieb Andreas Jaeger:
Call for action: Review and discuss http://en.opensuse.org/openSUSE:Security_use_cases using the following questions: * Are there any use cases missing?
Users who buy an external hard drive/usb stick which is pre-formatted with e.g. fat32 but they want to format/re-partition it to fit their Linux needs.
Currently they need root privileges, have to know how to open YaST, which module to use for formatting and after that they have to know that they still cannot use it because the disk belongs to root and one would have to change the file permissions. Yet changing the file permissions is not part of the formatting tool…
With other OSs making an external hard drive usable is a lot easier.
Could you add this to the wiki, please? Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, May 22, 2012 at 08:42:27PM +0200, Sven Burmeister wrote:
Am Dienstag, 22. Mai 2012, 14:48:12 schrieb Andreas Jaeger:
Call for action: Review and discuss http://en.opensuse.org/openSUSE:Security_use_cases using the following questions: * Are there any use cases missing?
Users who buy an external hard drive/usb stick which is pre-formatted with e.g. fat32 but they want to format/re-partition it to fit their Linux needs.
Currently they need root privileges, have to know how to open YaST, which module to use for formatting and after that they have to know that they still cannot use it because the disk belongs to root and one would have to change the file permissions. Yet changing the file permissions is not part of the formatting tool…
With other OSs making an external hard drive usable is a lot easier.
How often would this usecase happen do you think? Are these just us geeks doing the fs switch to UNIX filesystems? Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
With other OSs making an external hard drive usable is a lot easier.
How often would this usecase happen do you think?
Are these just us geeks doing the fs switch to UNIX filesystems?
Ciao, Marcus
Hard drives with fat or even NTFS are usable under Linkus. Don't know about exfat. You can gain additional features and usability when using a linux-natife FS. You lose interop with pretty much every consumer device or windows PC though. ext2ifs doesn't handle ext4 afaik. - -- Ralf Lang Linux Consultant / Developer Tel.: +49-170-6381563 Mail: lang@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+859sACgkQCs1dsHJ/X7DKHQCfRJFAmLGu0dojzsTIktYKrOpM Od4AniaGpIWgbPcE9v4ySSYHcfE3yGHp =u1eZ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 23.05.2012 15:24, schrieb Marcus Meissner:
On Tue, May 22, 2012 at 08:42:27PM +0200, Sven Burmeister wrote:
Users who buy an external hard drive/usb stick which is pre-formatted with e.g. fat32 but they want to format/re-partition it to fit their Linux needs.
Currently they need root privileges, have to know how to open YaST, which module to use for formatting and after that they have to know that they still cannot use it because the disk belongs to root and one would have to change the file permissions. Yet changing the file permissions is not part of the formatting tool…
With other OSs making an external hard drive usable is a lot easier.
How often would this usecase happen do you think?
Are these just us geeks doing the fs switch to UNIX filesystems?
I often reformat external media to fat32 or ntfs. It is not only for switching to UNIX fs. -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Dnia środa, 23 maja 2012 17:00:07 Stefan Seyfried pisze:
I often reformat external media to fat32 or ntfs. It is not only for switching to UNIX fs.
After copying openSUSE iso to pendrive and after install, we need to "recover" pendrive. So creating fs on external drivers (at least pendrives) should be done without root privileges. -- Pozdrawiam / Best regards, Mariusz Fik openSUSE Community Member GPG: 5FCE 7241 B3B9 32FD 455B C30E 42D6 6C88 9E83 7C3D
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-23 19:03, Mariusz Fik wrote:
Dnia środa, 23 maja 2012 17:00:07 Stefan Seyfried pisze:
I often reformat external media to fat32 or ntfs. It is not only for switching to UNIX fs.
After copying openSUSE iso to pendrive and after install, we need to "recover" pendrive. So creating fs on external drivers (at least pendrives) should be done without root privileges.
Well, you needed to be root to create the pendrive and use it and install it, so why not to erase it? - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+9MeYACgkQIvFNjefEBxqZKACgisOsXc94uvtPqFqBom3fIxvd HVUAnRVfu0Di4edc8fmCkhIGnPwdCvZh =tOBC -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Dnia środa, 23 maja 2012 20:52:22 Carlos E. R. pisze:
After copying openSUSE iso to pendrive and after install, we need to "recover" pendrive. So creating fs on external drivers (at least pendrives) should be done without root privileges.
Well, you needed to be root to create the pendrive and use it and install it, so why not to erase it?
Is it really necessary to obtain root access to put iso → pendrive? -- Pozdrawiam / Best regards, Mariusz Fik openSUSE Community Member GPG: 5FCE 7241 B3B9 32FD 455B C30E 42D6 6C88 9E83 7C3D
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-23 23:08, Mariusz Fik wrote:
Dnia środa, 23 maja 2012 20:52:22 Carlos E. R. pisze:
Well, you needed to be root to create the pendrive and use it and install it, so why not to erase it?
Is it really necessary to obtain root access to put iso → pendrive?
Yes, you need to use "dd if=file of=/dev/something". If you use something else, you still need writing to the device. However, in Windows I think you might be able to do it, I don't remember. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+9nP4ACgkQIvFNjefEBxpSTACfWxI0/VzKSQ48tKN64ixkP69D VdwAnjeGyBNl7RJ/DaojeTK3SGVWsYL6 =5pmd -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday, May 24, 2012 04:29:18 Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-05-23 23:08, Mariusz Fik wrote:
Dnia środa, 23 maja 2012 20:52:22 Carlos E. R. pisze:
Well, you needed to be root to create the pendrive and use it and install it, so why not to erase it?
Is it really necessary to obtain root access to put iso → pendrive?
Yes, you need to use "dd if=file of=/dev/something". If you use something else, you still need writing to the device. However, in Windows I think you might be able to do it, I don't remember.
Let's add it to the list in the wiki, it's a good use case. Could somebody do so, please? Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 05/24/2012 03:56 AM, Andreas Jaeger wrote:
On Thursday, May 24, 2012 04:29:18 Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-05-23 23:08, Mariusz Fik wrote:
Dnia środa, 23 maja 2012 20:52:22 Carlos E. R. pisze:
Well, you needed to be root to create the pendrive and use it and install it, so why not to erase it?
Is it really necessary to obtain root access to put iso → pendrive?
Yes, you need to use "dd if=file of=/dev/something". If you use something else, you still need writing to the device. However, in Windows I think you might be able to do it, I don't remember.
Let's add it to the list in the wiki, it's a good use case. Could somebody do so, please?
Added
Andreas
-- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, May 23, 2012 at 11:00 AM, Stefan Seyfried
Am 23.05.2012 15:24, schrieb Marcus Meissner:
On Tue, May 22, 2012 at 08:42:27PM +0200, Sven Burmeister wrote:
Users who buy an external hard drive/usb stick which is pre-formatted with e.g. fat32 but they want to format/re-partition it to fit their Linux needs.
Currently they need root privileges, have to know how to open YaST, which module to use for formatting and after that they have to know that they still cannot use it because the disk belongs to root and one would have to change the file permissions. Yet changing the file permissions is not part of the formatting tool…
With other OSs making an external hard drive usable is a lot easier.
How often would this usecase happen do you think?
Are these just us geeks doing the fs switch to UNIX filesystems?
I often reformat external media to fat32 or ntfs. It is not only for switching to UNIX fs. -- Stefan Seyfried
Agreed. I know windows admins at a minimum reformat external media routinely. Greg -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 24.05.2012 04:48, schrieb Greg Freemyer:
I know windows admins at a minimum reformat external media routinely.
I also do this, even with Unix fs. Reasons: * external media often gets surprise-removed. Journaling fs might be fine, but I'd not bet that the file system does not start to "bit-rot". I have definitely seen this with reiserfs in the past. * "rm -rf /media/foo/*" is often much slower than "mkfs.xfs /dev/sdb1" so if I'm going to erase everything anyway, I can also mkfs. * file system block allocation patterns might degrade over time. Doing mkfs really starts from scratch * depending on what was on the disk, I need to dd /dev/urandom onto it, so a mkfs is needed afterwards. ...but that's surely offtopic now, so let's stop it here :-) (yes, i know that urandom -> disk is not enough in general, but it is usually enough for my use cases) Best regards, Stefan -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-24 07:49, Stefan Seyfried wrote:
Am 24.05.2012 04:48, schrieb Greg Freemyer:
(yes, i know that urandom -> disk is not enough in general, but it is usually enough for my use cases)
That's not "not enough", it is an overkill. And needs root's powers. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+978oACgkQIvFNjefEBxq8VgCfcCQ54qXaUclngN+f/rZ4P78n bjUAn2VQ8Oh61TUHwNKZpH9EHdkWEPS1 =M16j -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-24 04:48, Greg Freemyer wrote:
I know windows admins at a minimum reformat external media routinely.
Because it is faster and also kills viruses. Plus it can also include media checking, in which case it is much slower. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+98EoACgkQIvFNjefEBxoOogCgjZAdgGBQTWSpMxBJbdKE9dpI TcgAoLMeoE6RmFv+zR+d7IGEU15x4NcA =uWsY -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Marcus Meissner wrote:
On Tue, May 22, 2012 at 08:42:27PM +0200, Sven Burmeister wrote:
Am Dienstag, 22. Mai 2012, 14:48:12 schrieb Andreas Jaeger:
Call for action: Review and discuss http://en.opensuse.org/openSUSE:Security_use_cases using the following questions: * Are there any use cases missing?
Users who buy an external hard drive/usb stick which is pre-formatted with e.g. fat32 but they want to format/re-partition it to fit their Linux needs.
Currently they need root privileges, have to know how to open YaST, which module to use for formatting and after that they have to know that they still cannot use it because the disk belongs to root and one would have to change the file permissions. Yet changing the file permissions is not part of the formatting tool…
With other OSs making an external hard drive usable is a lot easier.
How often would this usecase happen do you think?
Are these just us geeks doing the fs switch to UNIX filesystems?
Executive summary of MHO: No, but naive users don't know it. They work on a different abstraction level. The use case looks differently to them -- their demand is not to switch filesystems, but they have demands where the technical solution is to switch it. Use case 1: Just a few weeks ago, an openSUSE user from my Tai Chi group asked me how to place 2GB+ files on their new shiny new cheap USB 1TB disk, that came vFAT pre-formatted. And she's definitively a naive Linux user; whom I sometimes address to get the opinion of a non-technical user. In fact, she didn't know that there are different file systems; I had to guess that the disk came pre-formatted. Reformating to ext4 or xfs is the obvious solution, but YaST doesn't provide a ready-made "Prepare this disk as a native openSUSE disks that supports large files" that I could cite at Tai Chi training time. ;-) Use case 2: Prepare a disk in a way that it can be read on almost every computer system today. (Stefan cited that use case already, no need to repeat it for longer.) Therefore: I see the need for the functionality, but I don't see how it should be presented to non-geek end users. Just my 0,03 EUR (adjusted for inflation), Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod, Roedermark, Germany Email: jschrod@acm.org -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 23.05.2012 23:52, schrieb Joachim Schrod:
Therefore: I see the need for the functionality, but I don't see how it should be presented to non-geek end users.
There is a disk utility for GNOME whose name I forgot (it was exceptionally silly because it has nothing to do with disks or formatting or anything that one would connect with this task) which got this nicely done. IIRC it does present the available disks. It has a button for "format", then asks how to format it. *And it explains the selections in a non-geek comprehensible way*. Apart from the name, it is very nicely done. -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Le jeudi 24 mai 2012, à 07:57 +0200, Stefan Seyfried a écrit :
Am 23.05.2012 23:52, schrieb Joachim Schrod:
Therefore: I see the need for the functionality, but I don't see how it should be presented to non-geek end users.
There is a disk utility for GNOME whose name I forgot (it was exceptionally silly because it has nothing to do with disks or formatting or anything that one would connect with this task) which got this nicely done.
IIRC it does present the available disks. It has a button for "format", then asks how to format it. *And it explains the selections in a non-geek comprehensible way*. Apart from the name, it is very nicely done.
palimpsest if you call it from the command line, Disks if you call it from the menu :-) Vincent -- Les gens heureux ne sont pas pressés. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
palimpsest if you call it from the command line, Disks if you call it from the menu :-) there is something for kde too... quick-usbdisk-formatter http://kde-apps.org/content/show.php/?content=137493
Alin -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, May 22, 2012 at 9:48 AM, Andreas Jaeger
* Are there any use cases missing? * Is there any thing missing in the specific use cases?
From personal experience, handling of external storage[0] in multiuser (and I mean multiple concurrent sessions) desktops is very poorly handled.
It's probably more a bug than anything else, but I thought I'd mention since the wiki shows it as "OK" when it still could use some love. GPU for calculation, for another item, is a very tricky business. GPU threading is very coarse, especially on not-so-high-end hardware, so while ACL management and all that is possible, isolation between GPU-enabled users would not be so easy. User with access to the GPU would be able to deny use of the resource to other users simply by running misbehaving code without any extra privileges. It's also quite easy to leak out sensitive information (ie: even passwords) by inspecting uninitialized video memory, since drivers tend not to clear buffers on (de)allocation, so previous video content is easily visible in newly created buffers. This would be a serious security issue if *any* user were to be given access to the GPU in concurrency with any other user. Network access, also, needs some consideration for VPNs, which are rather common both in single-user laptops and enterprise environments. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday, May 23, 2012 01:16:29 Claudio Freire wrote:
On Tue, May 22, 2012 at 9:48 AM, Andreas Jaeger
wrote: * Are there any use cases missing? * Is there any thing missing in the specific use cases?
From personal experience, handling of external storage[0] in multiuser (and I mean multiple concurrent sessions) desktops is very poorly handled.
It's probably more a bug than anything else, but I thought I'd mention since the wiki shows it as "OK" when it still could use some love.
What exactly is the problem? Please describe in more detail.
GPU for calculation, for another item, is a very tricky business. GPU threading is very coarse, especially on not-so-high-end hardware, so while ACL management and all that is possible, isolation between GPU-enabled users would not be so easy. User with access to the GPU would be able to deny use of the resource to other users simply by running misbehaving code without any extra privileges.
Exactly, GPU-enablement can only be for one user at a time.
It's also quite easy to leak out sensitive information (ie: even passwords) by inspecting uninitialized video memory, since drivers tend not to clear buffers on (de)allocation, so previous video content is easily visible in newly created buffers. This would be a serious security issue if *any* user were to be given access to the GPU in concurrency with any other user.
Network access, also, needs some consideration for VPNs, which are rather common both in single-user laptops and enterprise environments.
I consider that handled via NetworkManager for the single-user laptop, Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, May 23, 2012 at 4:05 AM, Andreas Jaegerwrote: > On Wednesday, May 23, 2012 01:16:29 Claudio Freire wrote: >> >> From personal experience, handling of external storage[0] in multiuser >> (and I mean multiple concurrent sessions) desktops is very poorly >> handled. >> >> It's probably more a bug than anything else, but I thought I'd mention >> since the wiki shows it as "OK" when it still could use some love. > > What exactly is the problem? Please describe in more detail. >From memory: * when an USB drive is inserted into a multi-session desktop, a popup will appear for all users. It should only appear to the active user - though I'm not sure there's an easy fix for that. * when a user mounts a drive, other users may be able to read that drive, but not write or unmount it. It's not *wrong* per-se, but it confounds and annoys newbies a great deal. * when a user logs out without unmounting the drive, it remains permanently mounted. Other users cannot unmount it, except with root privileges from the cli. Again, not-for-newbies(tm). >> It's also quite easy to leak out sensitive information (ie: even >> passwords) by inspecting uninitialized video memory, since drivers >> tend not to clear buffers on (de)allocation, so previous video content >> is easily visible in newly created buffers. This would be a serious >> security issue if *any* user were to be given access to the GPU in >> concurrency with any other user. >> >> Network access, also, needs some consideration for VPNs, which are >> rather common both in single-user laptops and enterprise environments. > > I consider that handled via NetworkManager for the single-user laptop, I'm assuming the comment applies to VPNs and not GPU leaks? I never succeeded in creating VPNs with NM. I haven't tried the latest NM versions though, it might have improved. I've sticked to vpnc-(dis)connect for a while now. Last time I tried, IIRC, it failed to create any kind of VPN without root access (whereas it works fine for wifi without root access), and the VPNs it created didn't actually work. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Claudio Freire wrote:
On Wed, May 23, 2012 at 4:05 AM, Andreas Jaeger
wrote: On Wednesday, May 23, 2012 01:16:29 Claudio Freire wrote:
From personal experience, handling of external storage[0] in multiuser (and I mean multiple concurrent sessions) desktops is very poorly handled.
It's probably more a bug than anything else, but I thought I'd mention since the wiki shows it as "OK" when it still could use some love.
What exactly is the problem? Please describe in more detail.
From memory: * when an USB drive is inserted into a multi-session desktop, a popup will appear for all users. It should only appear to the active user - though I'm not sure there's an easy fix for that.
And it is even possible to have multiple active users .... (multi-seat machine). -- Per Jessen, Zürich (16.2°C) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday 23 May 2012 21:45:02 Per Jessen wrote:
Claudio Freire wrote:
On Wed, May 23, 2012 at 4:05 AM, Andreas Jaeger
wrote: On Wednesday, May 23, 2012 01:16:29 Claudio Freire wrote:
From personal experience, handling of external storage[0] in multiuser (and I mean multiple concurrent sessions) desktops is very poorly handled.
It's probably more a bug than anything else, but I thought I'd mention since the wiki shows it as "OK" when it still could use some love.
What exactly is the problem? Please describe in more detail.
From memory: * when an USB drive is inserted into a multi-session desktop, a popup
will appear for all users. It should only appear to the active user - though I'm not sure there's an easy fix for that.
And it is even possible to have multiple active users .... (multi-seat machine).
Welcome to 2012. The infrastructure is all there, although the DEs are just catching up. Gnome multiseat support is quite complete [1], unfortunately KDE is really behind. Regards, Stefan [1] https://plus.google.com/110773474140772402317/posts/NqPUifsFUYH -- Stefan Brüns / Bergstraße 21 / 52062 Aachen phone: +49 241 53809034 mobile: +49 151 50412019 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday, May 23, 2012 14:42:18 Claudio Freire wrote:
On Wed, May 23, 2012 at 4:05 AM, Andreas Jaeger
wrote: On Wednesday, May 23, 2012 01:16:29 Claudio Freire wrote:
From personal experience, handling of external storage[0] in multiuser (and I mean multiple concurrent sessions) desktops is very poorly handled.
It's probably more a bug than anything else, but I thought I'd mention since the wiki shows it as "OK" when it still could use some love.> What exactly is the problem? Please describe in more detail.
From memory: * when an USB drive is inserted into a multi-session desktop, a popup will appear for all users. It should only appear to the active user - though I'm not sure there's an easy fix for that. * when a user mounts a drive, other users may be able to read that drive, but not write or unmount it. It's not *wrong* per-se, but it confounds and annoys newbies a great deal. * when a user logs out without unmounting the drive, it remains permanently mounted. Other users cannot unmount it, except with root privileges from the cli. Again, not-for-newbies(tm).
I see - the multiseat setup is something we didn't have in mind when discussing. Could you enhance the wiki page a bit for that, please?
It's also quite easy to leak out sensitive information (ie: even passwords) by inspecting uninitialized video memory, since drivers tend not to clear buffers on (de)allocation, so previous video content is easily visible in newly created buffers. This would be a serious security issue if *any* user were to be given access to the GPU in concurrency with any other user.
Network access, also, needs some consideration for VPNs, which are rather common both in single-user laptops and enterprise environments.> I consider that handled via NetworkManager for the single-user laptop, I'm assuming the comment applies to VPNs and not GPU leaks?
Yes, correct. I'm only talking about VPNs
I never succeeded in creating VPNs with NM. I haven't tried the latest NM versions though, it might have improved. I've sticked to vpnc-(dis)connect for a while now. Last time I tried, IIRC, it failed to create any kind of VPN without root access (whereas it works fine for wifi without root access), and the VPNs it created didn't actually work.
It worked fine for me last time I tried with openvpn but I don't remember whether I needed the root password or not, Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Dienstag, 22. Mai 2012, 14:48:12 schrieb Andreas Jaeger:
Call for action: Review and discuss http://en.opensuse.org/openSUSE:Security_use_cases using the following questions: * Are there any use cases missing? Canceling print jobs.
For my experience from the last years, If a normal users tries that, he will be asked for an administrative account plus password. The fix is easy but not obvious (not feasible for average user): one has to add something like 'cups' or 'printer' to each users groups settings. Since printing in general tends to show unexpected results for different reasons (e.g printer options learning curve, driver prefers to use color cartridges for b/w text documents, printer prints only garbage after 1st page because of broken cups backend chain), it would be very helpful if killing print jobs would work out of the box for every user. Stefan Q. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday, May 23, 2012 14:14:36 Stefan Quandt wrote:
Am Dienstag, 22. Mai 2012, 14:48:12 schrieb Andreas Jaeger:
Call for action: Review and discuss http://en.opensuse.org/openSUSE:Security_use_cases using the following questions: * Are there any use cases missing?
Canceling print jobs.
For my experience from the last years, If a normal users tries that, he will be asked for an administrative account plus password. The fix is easy but not obvious (not feasible for average user): one has to add something like 'cups' or 'printer' to each users groups settings.
Since printing in general tends to show unexpected results for different reasons (e.g printer options learning curve, driver prefers to use color cartridges for b/w text documents, printer prints only garbage after 1st page because of broken cups backend chain), it would be very helpful if killing print jobs would work out of the box for every user.
Strange, in my environment I can cancel my own printjobs... This should indeed work. Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-23 14:32, Andreas Jaeger wrote:
On Wednesday, May 23, 2012 14:14:36 Stefan Quandt wrote:
Am Dienstag, 22. Mai 2012, 14:48:12 schrieb Andreas Jaeger:
Call for action: Review and discuss http://en.opensuse.org/openSUSE:Security_use_cases using the following questions: * Are there any use cases missing?
Canceling print jobs.
Strange, in my environment I can cancel my own printjobs... This should indeed work.
And in mine. It is a configuration in cups. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+83RgACgkQIvFNjefEBxqGsgCfRg+/lWH+lXwvEk2kwNQT8Hoh AioAoJ+oEoh+9DCRplmKK1arTWcVxcja =GvEB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, On May 23 14:14 Stefan Quandt wrote (excerpt):
* Are there any use cases missing? Canceling print jobs.
By default a user can cancel his own print jobs on his local host according to the CUPS "default" policy in /etc/cups/cupsd.conf but even more: Only FYI (of course not obvious for average users): normal_user@host $ cancel -U root queue_name-job_number See "man cancel": ------------------------------------------------------------------------ -U username Specifies the username to use when connecting to the server. ... -u username Cancels jobs owned by username. NOTES Administrators wishing to prevent unauthorized cancellation of jobs via the -u option should require authentication for Cancel-Jobs operations in cupsd.conf(5). ------------------------------------------------------------------------ Background information: As long as the IPP communication with the cupsd happens without authentication of the user name, any user can set an arbitrary user name for the IPP communication. But if the IPP communication with the cupsd requires authentication, any user must authenticate first of all which is less user-friendly but that is the only way if you cannot trust your users. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Mittwoch, 23. Mai 2012, 15:08:07 schrieb Johannes Meixner:
On May 23 14:14 Stefan Quandt wrote (excerpt):
* Are there any use cases missing? Canceling print jobs.
By default a user can cancel his own print jobs on his local host according to the CUPS "default" policy in /etc/cups/cupsd.conf but even more:
Only FYI (of course not obvious for average users):
normal_user@host $ cancel -U root queue_name-job_number I can confim that canceling via command line as 'root' indeed just works (on localhost, without password).
But trying to cancel using the cups browser frontend (via "http://localhost:631/jobs?") I'm prompted for a username _and_ password. And of course practically every user without knowledge of cups policies will enter his normal user name and thus will fail. And entering 'root' with no password is not accepted by the dialog. So while this is a severe problem, it is not about openSUSE security policies, but a longstanding issue of the cups frontend (and maybe there is already a report for this). Am Mittwoch, 23. Mai 2012, 14:50:32 schrieb Carlos E. R.:
On 2012-05-23 14:32, Andreas Jaeger wrote:
On Wednesday, May 23, 2012 14:14:36 Stefan Quandt wrote:
Am Dienstag, 22. Mai 2012, 14:48:12 schrieb Andreas Jaeger:
Call for action: Review and discuss http://en.opensuse.org/openSUSE:Security_use_cases using the following questions: * Are there any use cases missing? Canceling print jobs. Strange, in my environment I can cancel my own printjobs... This should indeed work. And in mine. It is a configuration in cups. Do you use the 'cancel' command too or which frontend?
Thanks Stefan Q. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, On May 23 16:02 Stefan Quandt wrote (excerpt):
Only FYI (of course not obvious for average users):
normal_user@host $ cancel -U root queue_name-job_number I can confim that canceling via command line as 'root' indeed just works (on localhost, without password).
But trying to cancel using the cups browser frontend (via "http://localhost:631/jobs?") I'm prompted for a username _and_ password.
There is a basic difference between command line tools and a web frontend how both can deal with user names. Off the top of my head I don't know the details but as far as I remember it is basically that a web frontend cannot know a user name (because your browser doesn't tell a web server which user runs your browser) - in contrast a command line tool knows which user it runs - so that a web frontend must ask for a user name. There are several reports/discussions/explanations on the CUPS forums (e.g. the CUPS mailing list) regarding this kind of issue. Perhaps there might be an issue that you are prompted for username and password because without authentication it would be sufficient if the CUPS web frontend only prompts for a username - but I am not an expert regarding HTTP authentication stuff. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-23 16:02, Stefan Quandt wrote:
Canceling print jobs. Strange, in my environment I can cancel my own printjobs... This should indeed work. And in mine. It is a configuration in cups. Do you use the 'cancel' command too or which frontend?
Both cli and web. If it ask for a password, it is mine, not root's. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+8/6QACgkQIvFNjefEBxokwgCeNFU8f5DA4GmkOqRqV27Op6Ze NJMAn38kdXdgRq0b6ThC3C7yvJBPxUjf =ppDH -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2012-05-22 at 14:48 +0200, Andreas Jaeger wrote:
We've collected a couple of use cases for the administration of a local system at: http://en.opensuse.org/openSUSE:Security_use_cases
For each use case we added a short security evaluation but in most cases don't give a recommendation on what to do.
I see that timezone is mentioned there, and an ellaborate solution described. However, in gnome 2 (I'm using 11.4) changing the timezone is just a single click on the clock. A SINGLE CLICK! I just change location (once several locations are defined) and done. If other desktops can not do it, it is their problem. - -- Cheers, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAk+835MACgkQtTMYHG2NR9XrmgCglf9GeSBpSao88pkFHPelNmKH sVIAoIFj2V9lDnb8LTBa2s9M/dsV4+e4 =QixP -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Le mercredi 23 mai 2012, à 15:01 +0200, Carlos E. R. a écrit :
On Tuesday, 2012-05-22 at 14:48 +0200, Andreas Jaeger wrote:
We've collected a couple of use cases for the administration of a local system at: http://en.opensuse.org/openSUSE:Security_use_cases
For each use case we added a short security evaluation but in most cases don't give a recommendation on what to do.
I see that timezone is mentioned there, and an ellaborate solution described. However, in gnome 2 (I'm using 11.4) changing the timezone is just a single click on the clock. A SINGLE CLICK! I just change location (once several locations are defined) and done.
You realize this was working with polkit, right? We had this properly configured to not require authentication, after considering the security implication. That means we did the work Andreas is pushing here, but only for the timezone use case. (The fact that it doesn't work in GNOME 3 is really just a bug, see patch at https://bugzilla.gnome.org/show_bug.cgi?id=646185) Vincent -- Les gens heureux ne sont pas pressés. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-23 15:09, Vincent Untz wrote:
Le mercredi 23 mai 2012, à 15:01 +0200, Carlos E. R. a écrit :
You realize this was working with polkit, right? We had this properly configured to not require authentication, after considering the security implication. That means we did the work Andreas is pushing here, but only for the timezone use case.
Didn't know polkit was involved, as time zone change is something that can be done on the CLI as plain user.
(The fact that it doesn't work in GNOME 3 is really just a bug, see patch at https://bugzilla.gnome.org/show_bug.cgi?id=646185)
Yes, I know it is a bug. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+9MZ4ACgkQIvFNjefEBxo/ZQCgjn48m0M7bMYVRu2g8PDH2Ubu KxsAoIAPU62b7YSyY9CJVtjuYOoXFt2k =v4F9 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday, May 23, 2012 15:09:11 Vincent Untz wrote:
Le mercredi 23 mai 2012, à 15:01 +0200, Carlos E. R. a écrit :
On Tuesday, 2012-05-22 at 14:48 +0200, Andreas Jaeger wrote:
We've collected a couple of use cases for the administration of a local system at: http://en.opensuse.org/openSUSE:Security_use_cases
For each use case we added a short security evaluation but in most cases don't give a recommendation on what to do.
I see that timezone is mentioned there, and an ellaborate solution described. However, in gnome 2 (I'm using 11.4) changing the timezone is just a single click on the clock. A SINGLE CLICK! I just change location (once several locations are defined) and done.
You realize this was working with polkit, right? We had this properly configured to not require authentication, after considering the security implication. That means we did the work Andreas is pushing here, but only for the timezone use case.
(The fact that it doesn't work in GNOME 3 is really just a bug, see patch at https://bugzilla.gnome.org/show_bug.cgi?id=646185)
And a still unfixed bug. Is this fixed for openSUSE 12.2? Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Le jeudi 24 mai 2012, à 10:01 +0200, Andreas Jaeger a écrit :
On Wednesday, May 23, 2012 15:09:11 Vincent Untz wrote:
Le mercredi 23 mai 2012, à 15:01 +0200, Carlos E. R. a écrit :
On Tuesday, 2012-05-22 at 14:48 +0200, Andreas Jaeger wrote:
We've collected a couple of use cases for the administration of a local system at: http://en.opensuse.org/openSUSE:Security_use_cases
For each use case we added a short security evaluation but in most cases don't give a recommendation on what to do.
I see that timezone is mentioned there, and an ellaborate solution described. However, in gnome 2 (I'm using 11.4) changing the timezone is just a single click on the clock. A SINGLE CLICK! I just change location (once several locations are defined) and done.
You realize this was working with polkit, right? We had this properly configured to not require authentication, after considering the security implication. That means we did the work Andreas is pushing here, but only for the timezone use case.
(The fact that it doesn't work in GNOME 3 is really just a bug, see patch at https://bugzilla.gnome.org/show_bug.cgi?id=646185)
And a still unfixed bug. Is this fixed for openSUSE 12.2?
Sorry, forgot to reply. Not yet fixed, but we should take my patch. Will do it. Vincent -- Les gens heureux ne sont pas pressés. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Tirsdag den 22. maj 2012 14:48:12 Andreas Jaeger skrev:
Administrating a system in a secure way is always balancing the needs and requests of security, convenience and usability.
We've collected a couple of use cases for the administration of a local system at: http://en.opensuse.org/openSUSE:Security_use_cases
* Are there any use cases missing? * How can we solve these use cases so that a system is easy to setup for the most common usage scenarios?
I think there are a number of firewall related issues of security vs. convenience. These don't directly have anything to do with permissions of course, e.g.: 1) The user wants to browse samba shares, but it's not worky unless he turns off the firewall or manually allows some services first (at least I *think* that works now). 2) The user can't figure out why he can't connect to sshd running on an openSUSE system, cuz "with Ubuntu it just works" (... cuz everything is open by default) Don't really have any good suggestions how to solve these issues, but they're definitely costing us users and maybe someone else does. Maybe it would be possible for the firewall to provide some user feedback when it blocks stuff, they're trying to do. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Onsdag den 23. maj 2012 17:20:24 Martin Schlander skrev:
Tirsdag den 22. maj 2012 14:48:12 Andreas Jaeger skrev:
Administrating a system in a secure way is always balancing the needs and requests of security, convenience and usability.
We've collected a couple of use cases for the administration of a local system at: http://en.opensuse.org/openSUSE:Security_use_cases
* Are there any use cases missing? * How can we solve these use cases so that a system is easy to setup
for the most common usage scenarios?
I think there are a number of firewall related issues of security vs. convenience. These don't directly have anything to do with permissions of course, e.g.:
1) The user wants to browse samba shares, but it's not worky unless he turns off the firewall or manually allows some services first (at least I *think* that works now).
2) The user can't figure out why he can't connect to sshd running on an openSUSE system, cuz "with Ubuntu it just works" (... cuz everything is open by default)
Don't really have any good suggestions how to solve these issues, but they're definitely costing us users and maybe someone else does. Maybe it would be possible for the firewall to provide some user feedback when it blocks stuff, they're trying to do.
Oh, I almost forgot one of our main issues of (data) security vs. convenience. The highly restrictive default permissions on NTFS, preventing normal users from writing to NTFS. People really hate us for that one. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday, May 23, 2012 17:23:38 Martin Schlander wrote:
Onsdag den 23. maj 2012 17:20:24 Martin Schlander skrev:
Tirsdag den 22. maj 2012 14:48:12 Andreas Jaeger skrev:
Administrating a system in a secure way is always balancing the needs and requests of security, convenience and usability.
We've collected a couple of use cases for the administration of a local system at: http://en.opensuse.org/openSUSE:Security_use_cases
* Are there any use cases missing? * How can we solve these use cases so that a system is easy to setup
for the most common usage scenarios?
I think there are a number of firewall related issues of security vs. convenience. These don't directly have anything to do with permissions of course, e.g.:
1) The user wants to browse samba shares, but it's not worky unless he turns off the firewall or manually allows some services first (at least I *think* that works now).
2) The user can't figure out why he can't connect to sshd running on an openSUSE system, cuz "with Ubuntu it just works" (... cuz everything is open by default)
Don't really have any good suggestions how to solve these issues, but they're definitely costing us users and maybe someone else does. Maybe it would be possible for the firewall to provide some user feedback when it blocks stuff, they're trying to do.
Oh, I almost forgot one of our main issues of (data) security vs. convenience. The highly restrictive default permissions on NTFS, preventing normal users from writing to NTFS. People really hate us for that one.
Let's revisit this one - could you add a use case to the wiki page, please? Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Torsdag den 24. maj 2012 10:03:00 Andreas Jaeger skrev:
On Wednesday, May 23, 2012 17:23:38 Martin Schlander wrote:
Onsdag den 23. maj 2012 17:20:24 Martin Schlander skrev: Oh, I almost forgot one of our main issues of (data) security vs. convenience. The highly restrictive default permissions on NTFS, preventing normal users from writing to NTFS. People really hate us for that one.
Let's revisit this one - could you add a use case to the wiki page, please?
Done. http://en.opensuse.org/openSUSE:Security_use_cases#Writing_to_NTFS -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 23.05.2012 17:23, schrieb Martin Schlander:
Onsdag den 23. maj 2012 17:20:24 Martin Schlander skrev:
Tirsdag den 22. maj 2012 14:48:12 Andreas Jaeger skrev:
Administrating a system in a secure way is always balancing the needs and requests of security, convenience and usability.
We've collected a couple of use cases for the administration of a local system at: http://en.opensuse.org/openSUSE:Security_use_cases
* Are there any use cases missing? * How can we solve these use cases so that a system is easy to setup
for the most common usage scenarios? I think there are a number of firewall related issues of security vs. convenience. These don't directly have anything to do with permissions of course, e.g.:
1) The user wants to browse samba shares, but it's not worky unless he turns off the firewall or manually allows some services first (at least I *think* that works now).
2) The user can't figure out why he can't connect to sshd running on an openSUSE system, cuz "with Ubuntu it just works" (... cuz everything is open by default)
Don't really have any good suggestions how to solve these issues, but they're definitely costing us users and maybe someone else does. Maybe it would be possible for the firewall to provide some user feedback when it blocks stuff, they're trying to do. Oh, I almost forgot one of our main issues of (data) security vs. convenience. The highly restrictive default permissions on NTFS, preventing normal users from writing to NTFS. People really hate us for that one. It is possible to map users/groups to SIDs:
http://www.tuxera.com/community/ntfs-3g-advanced/user-mapping/ Unfortunately the process of generating a UserMapping file needs user interaction and therefore cannot be done automatically as part of system setup. Maybe a yast module could help with this. Herbert -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, 22 May 2012 14:48:12 +0200
Andreas Jaeger
Let's do the discussion on the opensuse-factory mailing list, I'll update the document with any improvements. Feel free to enhance it as well.
I have just joined this list (nomail version), though I have been following the discussion via the web archives. I hope I'm not late to add a comment. I'll mainly comment on network issues (NetworkManager). But let me first add a note on Timezone. Timezone: I personally just set TZ in my environment when traveling. That does not require root. My "HOME/.profile" contains: ---- clip here ---- ### check for a temporary timezone change. if [ -r $HOME/timezone.sh ] ; then . $HOME/timezone.sh fi ---- end clip ---- so I need only create the file "timezone.sh" with the appropriate TZ definition, and I am set. Then, on return from travels, I delete that file (or rename it for future re-use). One could probably create a small GUI applet to generate this file, and then the user timezone would be changed on the next login. Root is not required, and can be different for different users. In my opinion, changing the system-wide timezone should require root. Network (NetworkManager). I have been experimenting with this. Perhaps I should do a bug report. I have described what I did in more detail in http://nwrickert2.wordpress.com/2012/06/05/trying-to-make-networkmanager-san... In short, I created a "network" group, and modified polkit definitions, so that anyone in the network group who is at an active console can make WiFi changes. The polkit definitions from opensuse made this hard. There are local definition files (actually vendor definition files) for group *, and any attempt to make a definition for group network seemed to be overridden by the "group *" definition. It seems to me that opensuse should put any definition that applies to everyone into the defaults instead of in a ".pkna" file. That way, at least local administrators would have a better chance at tweaking it for their own uses. Thanks for your attention. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-06-05 18:33, Neil Rickert wrote:
Timezone: I personally just set TZ in my environment when traveling. That does not require root. My "HOME/.profile" contains:
---- clip here ---- ### check for a temporary timezone change. if [ -r $HOME/timezone.sh ] ; then . $HOME/timezone.sh fi ---- end clip ----
You might simply reuse .i18n which is automatically sourced by the appropriate scripts. I'm not sure though, if this file is strictly for locale definition or timezone also fits. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/OXeYACgkQIvFNjefEBxpo2wCeNXBnVWPUUIdAyn8nLZ6tXpAF TswAn1SjH++GcQkXNcOVWRkIxEzgOLls =SYHl -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (23)
-
Alin Marin Elena
-
Andreas Jaeger
-
Bryen M Yunashko
-
Carlos E. R.
-
Carlos E. R.
-
Claudio Freire
-
Greg Freemyer
-
Herbert Graeber
-
Joachim Schrod
-
Johannes Meixner
-
Marcus Meissner
-
Marguerite Su
-
Mariusz Fik
-
Martin Schlander
-
Neil Rickert
-
Per Jessen
-
Ralf Lang
-
Robert Schweikert
-
Stefan Brüns
-
Stefan Quandt
-
Stefan Seyfried
-
Sven Burmeister
-
Vincent Untz