[New: openFATE 312876] Deny individual users' access to screen-saver settings
Feature added by: Per Jessen (pjessen) Feature #312876, revision 1 Title: Deny individual users' access to screen-saver settings openSUSE Distribution: Unconfirmed Priority Requester: Important Requested by: Per Jessen (pjessen) Partner organization: openSUSE.org Description: This is an extension of feature#312871, but because it's a little more involved than changing a simple default, I thought it would be better to have a separate feature request. The screen-saver settings for time-out and "require password" are security settings that really should not be freely available to the individual user. I propose that we 1) set a reasonable default (60sec, 15sec, always require passwd) (see feature#312871) and 2) only let these settings be modified by someone with root-access. To a regular user, the timeout and "require password" settings should appear "greyed out", clearly indicating "not available". Use Case: Office user - the user is able to select a screen-saver, but the other settings cannot be accessed, accidentally or otherwise. The install or admin person need not change anything to get a sane security setup for the desktop. SOHO or home users - same as above, but the default screen-saver settings may be changed by switching to root access. Business case (Partner benefit): openSUSE.org: This is simply a reasonable security measure, fitting nicely into the overall security-conscious profile of openSUSE. Security measures (firewall, apparmor, encryption etc) are typically accessible only with root-access; it's only sensible that we apply this principle to the screen-saver settings too. -- openSUSE Feature: https://features.opensuse.org/312876
Feature changed by: Todd R (TheBlackCat) Feature #312876, revision 3 Title: Deny individual users' access to screen-saver settings openSUSE Distribution: Unconfirmed Priority Requester: Important Requested by: Per Jessen (pjessen) Partner organization: openSUSE.org Description: This is an extension of feature#312871, but because it's a little more involved than changing a simple default, I thought it would be better to have a separate feature request. The screen-saver settings for time- out and "require password" are security settings that really should not be freely available to the individual user. I propose that we 1) set a reasonable default (60sec, 15sec, always require passwd) (see feature#312871) and 2) only let these settings be modified by someone with root-access. To a regular user, the timeout and "require password" settings should appear "greyed out", clearly indicating "not available". Use Case: Office user - the user is able to select a screen-saver, but the other settings cannot be accessed, accidentally or otherwise. The install or admin person need not change anything to get a sane security setup for the desktop. SOHO or home users - same as above, but the default screen-saver settings may be changed by switching to root access. Business case (Partner benefit): openSUSE.org: This is simply a reasonable security measure, fitting nicely into the overall security-conscious profile of openSUSE. Security measures (firewall, apparmor, encryption etc) are typically accessible only with root-access; it's only sensible that we apply this principle to the screen-saver settings too. + Discussion: + #1: Todd R (theblackcat) (2011-10-25 16:37:32) + I think this is backwards. If offices or home users think it is that + important to prevent users from changing their screensaver settings, + then they can use kiosk to prevent it. If they have that serious of + security concerns they should be using kiosk to prevent dangerous + actions anyway, so this shouldn't be much additional trouble (it took + me about ten seconds on google to find the relevant kiosk settings). + However, implementing this makes it extremely difficult in environments + where screen locking is not important. For most home users this would + add zero security benefit but a ton of hassle. It also makes things + very difficult for offices that think users can make their own judgment + about whether a screen locker helps or hampers them, and this would + wreck security models that prevent users from having root access. So if + we keep things as-is it is fairly easy to add restrictions to prevent + changing the settings, so the burden on people who want the feature is + small. However, if we go with this suggestion, then it adds a huge + burden to people who don't want it. + Things like apparmor, disk settings, and firewall are things that users + should never have any need to touch. But desktop customization + settings, like screensavers, are things that users very often do change + and are often allowed to change to suit their own work habits. You may + think that preventing users from changing their locker settings is an + important measure for security, but that is up to each office to decide + and implement. The tools to do so are already available. -- openSUSE Feature: https://features.opensuse.org/312876
Feature changed by: Ruediger Meier (rudi_m) Feature #312876, revision 4 Title: Deny individual users' access to screen-saver settings openSUSE Distribution: Unconfirmed Priority Requester: Important Requested by: Per Jessen (pjessen) Partner organization: openSUSE.org Description: This is an extension of feature#312871, but because it's a little more involved than changing a simple default, I thought it would be better to have a separate feature request. The screen-saver settings for time- out and "require password" are security settings that really should not be freely available to the individual user. I propose that we 1) set a reasonable default (60sec, 15sec, always require passwd) (see feature#312871) and 2) only let these settings be modified by someone with root-access. To a regular user, the timeout and "require password" settings should appear "greyed out", clearly indicating "not available". Use Case: Office user - the user is able to select a screen-saver, but the other settings cannot be accessed, accidentally or otherwise. The install or admin person need not change anything to get a sane security setup for the desktop. SOHO or home users - same as above, but the default screen-saver settings may be changed by switching to root access. Business case (Partner benefit): openSUSE.org: This is simply a reasonable security measure, fitting nicely into the overall security-conscious profile of openSUSE. Security measures (firewall, apparmor, encryption etc) are typically accessible only with root-access; it's only sensible that we apply this principle to the screen-saver settings too. Discussion: #1: Todd R (theblackcat) (2011-10-25 16:37:32) I think this is backwards. If offices or home users think it is that important to prevent users from changing their screensaver settings, then they can use kiosk to prevent it. If they have that serious of security concerns they should be using kiosk to prevent dangerous actions anyway, so this shouldn't be much additional trouble (it took me about ten seconds on google to find the relevant kiosk settings). However, implementing this makes it extremely difficult in environments where screen locking is not important. For most home users this would add zero security benefit but a ton of hassle. It also makes things very difficult for offices that think users can make their own judgment about whether a screen locker helps or hampers them, and this would wreck security models that prevent users from having root access. So if we keep things as-is it is fairly easy to add restrictions to prevent changing the settings, so the burden on people who want the feature is small. However, if we go with this suggestion, then it adds a huge burden to people who don't want it. Things like apparmor, disk settings, and firewall are things that users should never have any need to touch. But desktop customization settings, like screensavers, are things that users very often do change and are often allowed to change to suit their own work habits. You may think that preventing users from changing their locker settings is an important measure for security, but that is up to each office to decide and implement. The tools to do so are already available. + #2: Ruediger Meier (rudi_m) (2011-10-25 17:25:53) + If a user is keeping it's session open for others then it affects + user's security only. IMO it's usually not root's part to protect the + user from himself. + Teaching the user to do better would be enough. -- openSUSE Feature: https://features.opensuse.org/312876
Feature changed by: Marcus Meissner (msmeissn) Feature #312876, revision 5 Title: Deny individual users' access to screen-saver settings openSUSE Distribution: Unconfirmed Priority Requester: Important Requested by: Per Jessen (pjessen) Partner organization: openSUSE.org Description: This is an extension of feature#312871, but because it's a little more involved than changing a simple default, I thought it would be better to have a separate feature request. The screen-saver settings for time- out and "require password" are security settings that really should not be freely available to the individual user. I propose that we 1) set a reasonable default (60sec, 15sec, always require passwd) (see feature#312871) and 2) only let these settings be modified by someone with root-access. To a regular user, the timeout and "require password" settings should appear "greyed out", clearly indicating "not available". Use Case: Office user - the user is able to select a screen-saver, but the other settings cannot be accessed, accidentally or otherwise. The install or admin person need not change anything to get a sane security setup for the desktop. SOHO or home users - same as above, but the default screen-saver settings may be changed by switching to root access. Business case (Partner benefit): openSUSE.org: This is simply a reasonable security measure, fitting nicely into the overall security-conscious profile of openSUSE. Security measures (firewall, apparmor, encryption etc) are typically accessible only with root-access; it's only sensible that we apply this principle to the screen-saver settings too. Discussion: #1: Todd R (theblackcat) (2011-10-25 16:37:32) I think this is backwards. If offices or home users think it is that important to prevent users from changing their screensaver settings, then they can use kiosk to prevent it. If they have that serious of security concerns they should be using kiosk to prevent dangerous actions anyway, so this shouldn't be much additional trouble (it took me about ten seconds on google to find the relevant kiosk settings). However, implementing this makes it extremely difficult in environments where screen locking is not important. For most home users this would add zero security benefit but a ton of hassle. It also makes things very difficult for offices that think users can make their own judgment about whether a screen locker helps or hampers them, and this would wreck security models that prevent users from having root access. So if we keep things as-is it is fairly easy to add restrictions to prevent changing the settings, so the burden on people who want the feature is small. However, if we go with this suggestion, then it adds a huge burden to people who don't want it. Things like apparmor, disk settings, and firewall are things that users should never have any need to touch. But desktop customization settings, like screensavers, are things that users very often do change and are often allowed to change to suit their own work habits. You may think that preventing users from changing their locker settings is an important measure for security, but that is up to each office to decide and implement. The tools to do so are already available. #2: Ruediger Meier (rudi_m) (2011-10-25 17:25:53) If a user is keeping it's session open for others then it affects user's security only. IMO it's usually not root's part to protect the user from himself. Teaching the user to do better would be enough. + #3: Marcus Meissner (msmeissn) (2011-10-25 08:30:41) + This is something where a system wide (root modifyable) policy setting + woiuld be used to either deny/allow users these changes. + for openSUSE in homeuser setting, a good default but user-modifyable is + sufficient in my eyes. -- openSUSE Feature: https://features.opensuse.org/312876
Feature changed by: Per Jessen (pjessen) Feature #312876, revision 6 Title: Deny individual users' access to screen-saver settings openSUSE Distribution: Unconfirmed Priority Requester: Important Requested by: Per Jessen (pjessen) Partner organization: openSUSE.org Description: This is an extension of feature#312871, but because it's a little more involved than changing a simple default, I thought it would be better to have a separate feature request. The screen-saver settings for time- out and "require password" are security settings that really should not be freely available to the individual user. I propose that we 1) set a reasonable default (60sec, 15sec, always require passwd) (see feature#312871) and 2) only let these settings be modified by someone with root-access. To a regular user, the timeout and "require password" settings should appear "greyed out", clearly indicating "not available". Use Case: Office user - the user is able to select a screen-saver, but the other settings cannot be accessed, accidentally or otherwise. The install or admin person need not change anything to get a sane security setup for the desktop. SOHO or home users - same as above, but the default screen-saver settings may be changed by switching to root access. Business case (Partner benefit): openSUSE.org: This is simply a reasonable security measure, fitting nicely into the overall security-conscious profile of openSUSE. Security measures (firewall, apparmor, encryption etc) are typically accessible only with root-access; it's only sensible that we apply this principle to the screen-saver settings too. Discussion: #1: Todd R (theblackcat) (2011-10-25 16:37:32) I think this is backwards. If offices or home users think it is that important to prevent users from changing their screensaver settings, then they can use kiosk to prevent it. If they have that serious of security concerns they should be using kiosk to prevent dangerous actions anyway, so this shouldn't be much additional trouble (it took me about ten seconds on google to find the relevant kiosk settings). However, implementing this makes it extremely difficult in environments where screen locking is not important. For most home users this would add zero security benefit but a ton of hassle. It also makes things very difficult for offices that think users can make their own judgment about whether a screen locker helps or hampers them, and this would wreck security models that prevent users from having root access. So if we keep things as-is it is fairly easy to add restrictions to prevent changing the settings, so the burden on people who want the feature is small. However, if we go with this suggestion, then it adds a huge burden to people who don't want it. Things like apparmor, disk settings, and firewall are things that users should never have any need to touch. But desktop customization settings, like screensavers, are things that users very often do change and are often allowed to change to suit their own work habits. You may think that preventing users from changing their locker settings is an important measure for security, but that is up to each office to decide and implement. The tools to do so are already available. #2: Ruediger Meier (rudi_m) (2011-10-25 17:25:53) If a user is keeping it's session open for others then it affects user's security only. IMO it's usually not root's part to protect the user from himself. Teaching the user to do better would be enough. + #4: Per Jessen (pjessen) (2011-10-25 18:02:24) (reply to #2) + Sorry, but you are wrong - if a user does not lock his screen when he + is a way from it, it exposes/endangers everything to which this user + has access. Wrt teaching users - my experience tells me that it isn't + possible and also rarely accepted accepted by a security auditor. #3: Marcus Meissner (msmeissn) (2011-10-25 08:30:41) This is something where a system wide (root modifyable) policy setting woiuld be used to either deny/allow users these changes. for openSUSE in homeuser setting, a good default but user-modifyable is sufficient in my eyes. -- openSUSE Feature: https://features.opensuse.org/312876
Feature changed by: Per Jessen (pjessen) Feature #312876, revision 7 Title: Deny individual users' access to screen-saver settings openSUSE Distribution: Unconfirmed Priority Requester: Important Requested by: Per Jessen (pjessen) Partner organization: openSUSE.org Description: This is an extension of feature#312871, but because it's a little more involved than changing a simple default, I thought it would be better to have a separate feature request. The screen-saver settings for time- out and "require password" are security settings that really should not be freely available to the individual user. I propose that we 1) set a reasonable default (60sec, 15sec, always require passwd) (see feature#312871) and 2) only let these settings be modified by someone with root-access. To a regular user, the timeout and "require password" settings should appear "greyed out", clearly indicating "not available". Use Case: Office user - the user is able to select a screen-saver, but the other settings cannot be accessed, accidentally or otherwise. The install or admin person need not change anything to get a sane security setup for the desktop. SOHO or home users - same as above, but the default screen-saver settings may be changed by switching to root access. Business case (Partner benefit): openSUSE.org: This is simply a reasonable security measure, fitting nicely into the overall security-conscious profile of openSUSE. Security measures (firewall, apparmor, encryption etc) are typically accessible only with root-access; it's only sensible that we apply this principle to the screen-saver settings too. Discussion: #1: Todd R (theblackcat) (2011-10-25 16:37:32) I think this is backwards. If offices or home users think it is that important to prevent users from changing their screensaver settings, then they can use kiosk to prevent it. If they have that serious of security concerns they should be using kiosk to prevent dangerous actions anyway, so this shouldn't be much additional trouble (it took me about ten seconds on google to find the relevant kiosk settings). However, implementing this makes it extremely difficult in environments where screen locking is not important. For most home users this would add zero security benefit but a ton of hassle. It also makes things very difficult for offices that think users can make their own judgment about whether a screen locker helps or hampers them, and this would wreck security models that prevent users from having root access. So if we keep things as-is it is fairly easy to add restrictions to prevent changing the settings, so the burden on people who want the feature is small. However, if we go with this suggestion, then it adds a huge burden to people who don't want it. Things like apparmor, disk settings, and firewall are things that users should never have any need to touch. But desktop customization settings, like screensavers, are things that users very often do change and are often allowed to change to suit their own work habits. You may think that preventing users from changing their locker settings is an important measure for security, but that is up to each office to decide and implement. The tools to do so are already available. + #5: Per Jessen (pjessen) (2011-10-25 18:07:06) (reply to #1) + I wasn't aware of Kiosk, thanks. I disagree with most of the rest + you're saying though. To accommodate both sides, perhaps we could + simply make this a tickbox at installation-time. #2: Ruediger Meier (rudi_m) (2011-10-25 17:25:53) If a user is keeping it's session open for others then it affects user's security only. IMO it's usually not root's part to protect the user from himself. Teaching the user to do better would be enough. #4: Per Jessen (pjessen) (2011-10-25 18:02:24) (reply to #2) Sorry, but you are wrong - if a user does not lock his screen when he is a way from it, it exposes/endangers everything to which this user has access. Wrt teaching users - my experience tells me that it isn't possible and also rarely accepted accepted by a security auditor. #3: Marcus Meissner (msmeissn) (2011-10-25 08:30:41) This is something where a system wide (root modifyable) policy setting woiuld be used to either deny/allow users these changes. for openSUSE in homeuser setting, a good default but user-modifyable is sufficient in my eyes. -- openSUSE Feature: https://features.opensuse.org/312876
Feature changed by: Ruediger Meier (rudi_m) Feature #312876, revision 8 Title: Deny individual users' access to screen-saver settings openSUSE Distribution: Unconfirmed Priority Requester: Important Requested by: Per Jessen (pjessen) Partner organization: openSUSE.org Description: This is an extension of feature#312871, but because it's a little more involved than changing a simple default, I thought it would be better to have a separate feature request. The screen-saver settings for time- out and "require password" are security settings that really should not be freely available to the individual user. I propose that we 1) set a reasonable default (60sec, 15sec, always require passwd) (see feature#312871) and 2) only let these settings be modified by someone with root-access. To a regular user, the timeout and "require password" settings should appear "greyed out", clearly indicating "not available". Use Case: Office user - the user is able to select a screen-saver, but the other settings cannot be accessed, accidentally or otherwise. The install or admin person need not change anything to get a sane security setup for the desktop. SOHO or home users - same as above, but the default screen-saver settings may be changed by switching to root access. Business case (Partner benefit): openSUSE.org: This is simply a reasonable security measure, fitting nicely into the overall security-conscious profile of openSUSE. Security measures (firewall, apparmor, encryption etc) are typically accessible only with root-access; it's only sensible that we apply this principle to the screen-saver settings too. Discussion: #1: Todd R (theblackcat) (2011-10-25 16:37:32) I think this is backwards. If offices or home users think it is that important to prevent users from changing their screensaver settings, then they can use kiosk to prevent it. If they have that serious of security concerns they should be using kiosk to prevent dangerous actions anyway, so this shouldn't be much additional trouble (it took me about ten seconds on google to find the relevant kiosk settings). However, implementing this makes it extremely difficult in environments where screen locking is not important. For most home users this would add zero security benefit but a ton of hassle. It also makes things very difficult for offices that think users can make their own judgment about whether a screen locker helps or hampers them, and this would wreck security models that prevent users from having root access. So if we keep things as-is it is fairly easy to add restrictions to prevent changing the settings, so the burden on people who want the feature is small. However, if we go with this suggestion, then it adds a huge burden to people who don't want it. Things like apparmor, disk settings, and firewall are things that users should never have any need to touch. But desktop customization settings, like screensavers, are things that users very often do change and are often allowed to change to suit their own work habits. You may think that preventing users from changing their locker settings is an important measure for security, but that is up to each office to decide and implement. The tools to do so are already available. #5: Per Jessen (pjessen) (2011-10-25 18:07:06) (reply to #1) I wasn't aware of Kiosk, thanks. I disagree with most of the rest you're saying though. To accommodate both sides, perhaps we could simply make this a tickbox at installation-time. #2: Ruediger Meier (rudi_m) (2011-10-25 17:25:53) If a user is keeping it's session open for others then it affects user's security only. IMO it's usually not root's part to protect the user from himself. Teaching the user to do better would be enough. #4: Per Jessen (pjessen) (2011-10-25 18:02:24) (reply to #2) Sorry, but you are wrong - if a user does not lock his screen when he is a way from it, it exposes/endangers everything to which this user has access. Wrt teaching users - my experience tells me that it isn't possible and also rarely accepted accepted by a security auditor. + #6: Ruediger Meier (rudi_m) (2011-10-25 18:56:30) (reply to #4) + > [...] it exposes/endangers everything to which this user has access. + That's exactly what I've said. It _only_ affects what the user has + access too. #3: Marcus Meissner (msmeissn) (2011-10-25 08:30:41) This is something where a system wide (root modifyable) policy setting woiuld be used to either deny/allow users these changes. for openSUSE in homeuser setting, a good default but user-modifyable is sufficient in my eyes. -- openSUSE Feature: https://features.opensuse.org/312876
Feature changed by: Per Jessen (pjessen) Feature #312876, revision 9 Title: Deny individual users' access to screen-saver settings openSUSE Distribution: Unconfirmed Priority Requester: Important Requested by: Per Jessen (pjessen) Partner organization: openSUSE.org Description: This is an extension of feature#312871, but because it's a little more involved than changing a simple default, I thought it would be better to have a separate feature request. The screen-saver settings for time- out and "require password" are security settings that really should not be freely available to the individual user. I propose that we 1) set a reasonable default (60sec, 15sec, always require passwd) (see feature#312871) and 2) only let these settings be modified by someone with root-access. To a regular user, the timeout and "require password" settings should appear "greyed out", clearly indicating "not available". Use Case: Office user - the user is able to select a screen-saver, but the other settings cannot be accessed, accidentally or otherwise. The install or admin person need not change anything to get a sane security setup for the desktop. SOHO or home users - same as above, but the default screen-saver settings may be changed by switching to root access. Business case (Partner benefit): openSUSE.org: This is simply a reasonable security measure, fitting nicely into the overall security-conscious profile of openSUSE. Security measures (firewall, apparmor, encryption etc) are typically accessible only with root-access; it's only sensible that we apply this principle to the screen-saver settings too. Discussion: #1: Todd R (theblackcat) (2011-10-25 16:37:32) I think this is backwards. If offices or home users think it is that important to prevent users from changing their screensaver settings, then they can use kiosk to prevent it. If they have that serious of security concerns they should be using kiosk to prevent dangerous actions anyway, so this shouldn't be much additional trouble (it took me about ten seconds on google to find the relevant kiosk settings). However, implementing this makes it extremely difficult in environments where screen locking is not important. For most home users this would add zero security benefit but a ton of hassle. It also makes things very difficult for offices that think users can make their own judgment about whether a screen locker helps or hampers them, and this would wreck security models that prevent users from having root access. So if we keep things as-is it is fairly easy to add restrictions to prevent changing the settings, so the burden on people who want the feature is small. However, if we go with this suggestion, then it adds a huge burden to people who don't want it. Things like apparmor, disk settings, and firewall are things that users should never have any need to touch. But desktop customization settings, like screensavers, are things that users very often do change and are often allowed to change to suit their own work habits. You may think that preventing users from changing their locker settings is an important measure for security, but that is up to each office to decide and implement. The tools to do so are already available. #5: Per Jessen (pjessen) (2011-10-25 18:07:06) (reply to #1) I wasn't aware of Kiosk, thanks. I disagree with most of the rest you're saying though. To accommodate both sides, perhaps we could simply make this a tickbox at installation-time. #2: Ruediger Meier (rudi_m) (2011-10-25 17:25:53) If a user is keeping it's session open for others then it affects user's security only. IMO it's usually not root's part to protect the user from himself. Teaching the user to do better would be enough. #4: Per Jessen (pjessen) (2011-10-25 18:02:24) (reply to #2) Sorry, but you are wrong - if a user does not lock his screen when he is a way from it, it exposes/endangers everything to which this user has access. Wrt teaching users - my experience tells me that it isn't possible and also rarely accepted accepted by a security auditor. #6: Ruediger Meier (rudi_m) (2011-10-25 18:56:30) (reply to #4)
[...] it exposes/endangers everything to which this user has access. That's exactly what I've said. It _only_ affects what the user has access too.
+ #7: Per Jessen (pjessen) (2011-10-25 19:11:41) (reply to #6) + There is surely a reason why we give people passwords (namely to + protect their data and privileges). Most users in an office environment + will be trusted with data other than their own. Why protect all of that + with a password if the user can just (accidentally or otherwise) leave + it for everyone to peruse. #3: Marcus Meissner (msmeissn) (2011-10-25 08:30:41) This is something where a system wide (root modifyable) policy setting woiuld be used to either deny/allow users these changes. for openSUSE in homeuser setting, a good default but user-modifyable is sufficient in my eyes. -- openSUSE Feature: https://features.opensuse.org/312876
Feature changed by: Per Jessen (pjessen) Feature #312876, revision 10 Title: Deny individual users' access to screen-saver settings openSUSE Distribution: Unconfirmed Priority Requester: Important Requested by: Per Jessen (pjessen) Partner organization: openSUSE.org Description: This is an extension of feature#312871, but because it's a little more involved than changing a simple default, I thought it would be better to have a separate feature request. The screen-saver settings for time- out and "require password" are security settings that really should not be freely available to the individual user. I propose that we 1) set a reasonable default (60sec, 15sec, always require passwd) (see feature#312871) and 2) only let these settings be modified by someone with root-access. To a regular user, the timeout and "require password" settings should appear "greyed out", clearly indicating "not available". Use Case: Office user - the user is able to select a screen-saver, but the other settings cannot be accessed, accidentally or otherwise. The install or admin person need not change anything to get a sane security setup for the desktop. SOHO or home users - same as above, but the default screen-saver settings may be changed by switching to root access. Business case (Partner benefit): openSUSE.org: This is simply a reasonable security measure, fitting nicely into the overall security-conscious profile of openSUSE. Security measures (firewall, apparmor, encryption etc) are typically accessible only with root-access; it's only sensible that we apply this principle to the screen-saver settings too. Discussion: #1: Todd R (theblackcat) (2011-10-25 16:37:32) I think this is backwards. If offices or home users think it is that important to prevent users from changing their screensaver settings, then they can use kiosk to prevent it. If they have that serious of security concerns they should be using kiosk to prevent dangerous actions anyway, so this shouldn't be much additional trouble (it took me about ten seconds on google to find the relevant kiosk settings). However, implementing this makes it extremely difficult in environments where screen locking is not important. For most home users this would add zero security benefit but a ton of hassle. It also makes things very difficult for offices that think users can make their own judgment about whether a screen locker helps or hampers them, and this would wreck security models that prevent users from having root access. So if we keep things as-is it is fairly easy to add restrictions to prevent changing the settings, so the burden on people who want the feature is small. However, if we go with this suggestion, then it adds a huge burden to people who don't want it. Things like apparmor, disk settings, and firewall are things that users should never have any need to touch. But desktop customization settings, like screensavers, are things that users very often do change and are often allowed to change to suit their own work habits. You may think that preventing users from changing their locker settings is an important measure for security, but that is up to each office to decide and implement. The tools to do so are already available. #5: Per Jessen (pjessen) (2011-10-25 18:07:06) (reply to #1) I wasn't aware of Kiosk, thanks. I disagree with most of the rest you're saying though. To accommodate both sides, perhaps we could simply make this a tickbox at installation-time. + #8: Per Jessen (pjessen) (2011-10-25 19:15:18) (reply to #1) + Todd, could you get in touch by email, please? I've been reading up on + Kiosktool, which looks quite promising, but I've spent way more than + ten seconds googling :-), so a link to howto or similar would be really + cool. The tool kiosk gui itself doesn't seem entirely intuitive, at + least I couldn't find any of the settings I needed. #2: Ruediger Meier (rudi_m) (2011-10-25 17:25:53) If a user is keeping it's session open for others then it affects user's security only. IMO it's usually not root's part to protect the user from himself. Teaching the user to do better would be enough. #4: Per Jessen (pjessen) (2011-10-25 18:02:24) (reply to #2) Sorry, but you are wrong - if a user does not lock his screen when he is a way from it, it exposes/endangers everything to which this user has access. Wrt teaching users - my experience tells me that it isn't possible and also rarely accepted accepted by a security auditor. #6: Ruediger Meier (rudi_m) (2011-10-25 18:56:30) (reply to #4)
[...] it exposes/endangers everything to which this user has access. That's exactly what I've said. It _only_ affects what the user has access too.
#7: Per Jessen (pjessen) (2011-10-25 19:11:41) (reply to #6) There is surely a reason why we give people passwords (namely to protect their data and privileges). Most users in an office environment will be trusted with data other than their own. Why protect all of that with a password if the user can just (accidentally or otherwise) leave it for everyone to peruse. #3: Marcus Meissner (msmeissn) (2011-10-25 08:30:41) This is something where a system wide (root modifyable) policy setting woiuld be used to either deny/allow users these changes. for openSUSE in homeuser setting, a good default but user-modifyable is sufficient in my eyes. -- openSUSE Feature: https://features.opensuse.org/312876
Feature changed by: Karl Cheng (qantas94heavy) Feature #312876, revision 11 Title: Deny individual users' access to screen-saver settings - openSUSE Distribution: Unconfirmed + openSUSE Distribution: New Priority Requester: Important Requested by: Per Jessen (pjessen) Partner organization: openSUSE.org Description: This is an extension of feature#312871, but because it's a little more involved than changing a simple default, I thought it would be better to have a separate feature request. The screen-saver settings for time- out and "require password" are security settings that really should not be freely available to the individual user. I propose that we 1) set a reasonable default (60sec, 15sec, always require passwd) (see feature#312871) and 2) only let these settings be modified by someone with root-access. To a regular user, the timeout and "require password" settings should appear "greyed out", clearly indicating "not available". Use Case: Office user - the user is able to select a screen-saver, but the other settings cannot be accessed, accidentally or otherwise. The install or admin person need not change anything to get a sane security setup for the desktop. SOHO or home users - same as above, but the default screen-saver settings may be changed by switching to root access. Business case (Partner benefit): openSUSE.org: This is simply a reasonable security measure, fitting nicely into the overall security-conscious profile of openSUSE. Security measures (firewall, apparmor, encryption etc) are typically accessible only with root-access; it's only sensible that we apply this principle to the screen-saver settings too. Discussion: #1: Todd R (theblackcat) (2011-10-25 16:37:32) I think this is backwards. If offices or home users think it is that important to prevent users from changing their screensaver settings, then they can use kiosk to prevent it. If they have that serious of security concerns they should be using kiosk to prevent dangerous actions anyway, so this shouldn't be much additional trouble (it took me about ten seconds on google to find the relevant kiosk settings). However, implementing this makes it extremely difficult in environments where screen locking is not important. For most home users this would add zero security benefit but a ton of hassle. It also makes things very difficult for offices that think users can make their own judgment about whether a screen locker helps or hampers them, and this would wreck security models that prevent users from having root access. So if we keep things as-is it is fairly easy to add restrictions to prevent changing the settings, so the burden on people who want the feature is small. However, if we go with this suggestion, then it adds a huge burden to people who don't want it. Things like apparmor, disk settings, and firewall are things that users should never have any need to touch. But desktop customization settings, like screensavers, are things that users very often do change and are often allowed to change to suit their own work habits. You may think that preventing users from changing their locker settings is an important measure for security, but that is up to each office to decide and implement. The tools to do so are already available. #5: Per Jessen (pjessen) (2011-10-25 18:07:06) (reply to #1) I wasn't aware of Kiosk, thanks. I disagree with most of the rest you're saying though. To accommodate both sides, perhaps we could simply make this a tickbox at installation-time. #8: Per Jessen (pjessen) (2011-10-25 19:15:18) (reply to #1) Todd, could you get in touch by email, please? I've been reading up on Kiosktool, which looks quite promising, but I've spent way more than ten seconds googling :-), so a link to howto or similar would be really cool. The tool kiosk gui itself doesn't seem entirely intuitive, at least I couldn't find any of the settings I needed. #2: Ruediger Meier (rudi_m) (2011-10-25 17:25:53) If a user is keeping it's session open for others then it affects user's security only. IMO it's usually not root's part to protect the user from himself. Teaching the user to do better would be enough. #4: Per Jessen (pjessen) (2011-10-25 18:02:24) (reply to #2) Sorry, but you are wrong - if a user does not lock his screen when he is a way from it, it exposes/endangers everything to which this user has access. Wrt teaching users - my experience tells me that it isn't possible and also rarely accepted accepted by a security auditor. #6: Ruediger Meier (rudi_m) (2011-10-25 18:56:30) (reply to #4)
[...] it exposes/endangers everything to which this user has access. That's exactly what I've said. It _only_ affects what the user has access too.
#7: Per Jessen (pjessen) (2011-10-25 19:11:41) (reply to #6) There is surely a reason why we give people passwords (namely to protect their data and privileges). Most users in an office environment will be trusted with data other than their own. Why protect all of that with a password if the user can just (accidentally or otherwise) leave it for everyone to peruse. #3: Marcus Meissner (msmeissn) (2011-10-25 08:30:41) This is something where a system wide (root modifyable) policy setting woiuld be used to either deny/allow users these changes. for openSUSE in homeuser setting, a good default but user-modifyable is sufficient in my eyes. -- openSUSE Feature: https://features.opensuse.org/312876
Feature changed by: Tomáš Chvátal (scarabeus_iv) Feature #312876, revision 12 Title: Deny individual users' access to screen-saver settings - openSUSE Distribution: New + openSUSE Distribution: Rejected by Tomáš Chvátal (scarabeus_iv) + reject reason: This is not so popular and nowadays our default is to + use power management to handle this. If needed open an upstream bug. Priority Requester: Important Requested by: Per Jessen (pjessen) Partner organization: openSUSE.org Description: This is an extension of feature#312871, but because it's a little more involved than changing a simple default, I thought it would be better to have a separate feature request. The screen-saver settings for time- out and "require password" are security settings that really should not be freely available to the individual user. I propose that we 1) set a reasonable default (60sec, 15sec, always require passwd) (see feature#312871) and 2) only let these settings be modified by someone with root-access. To a regular user, the timeout and "require password" settings should appear "greyed out", clearly indicating "not available". Use Case: Office user - the user is able to select a screen-saver, but the other settings cannot be accessed, accidentally or otherwise. The install or admin person need not change anything to get a sane security setup for the desktop. SOHO or home users - same as above, but the default screen-saver settings may be changed by switching to root access. Business case (Partner benefit): openSUSE.org: This is simply a reasonable security measure, fitting nicely into the overall security-conscious profile of openSUSE. Security measures (firewall, apparmor, encryption etc) are typically accessible only with root-access; it's only sensible that we apply this principle to the screen-saver settings too. Discussion: #1: Todd R (theblackcat) (2011-10-25 16:37:32) I think this is backwards. If offices or home users think it is that important to prevent users from changing their screensaver settings, then they can use kiosk to prevent it. If they have that serious of security concerns they should be using kiosk to prevent dangerous actions anyway, so this shouldn't be much additional trouble (it took me about ten seconds on google to find the relevant kiosk settings). However, implementing this makes it extremely difficult in environments where screen locking is not important. For most home users this would add zero security benefit but a ton of hassle. It also makes things very difficult for offices that think users can make their own judgment about whether a screen locker helps or hampers them, and this would wreck security models that prevent users from having root access. So if we keep things as-is it is fairly easy to add restrictions to prevent changing the settings, so the burden on people who want the feature is small. However, if we go with this suggestion, then it adds a huge burden to people who don't want it. Things like apparmor, disk settings, and firewall are things that users should never have any need to touch. But desktop customization settings, like screensavers, are things that users very often do change and are often allowed to change to suit their own work habits. You may think that preventing users from changing their locker settings is an important measure for security, but that is up to each office to decide and implement. The tools to do so are already available. #5: Per Jessen (pjessen) (2011-10-25 18:07:06) (reply to #1) I wasn't aware of Kiosk, thanks. I disagree with most of the rest you're saying though. To accommodate both sides, perhaps we could simply make this a tickbox at installation-time. #8: Per Jessen (pjessen) (2011-10-25 19:15:18) (reply to #1) Todd, could you get in touch by email, please? I've been reading up on Kiosktool, which looks quite promising, but I've spent way more than ten seconds googling :-), so a link to howto or similar would be really cool. The tool kiosk gui itself doesn't seem entirely intuitive, at least I couldn't find any of the settings I needed. #2: Ruediger Meier (rudi_m) (2011-10-25 17:25:53) If a user is keeping it's session open for others then it affects user's security only. IMO it's usually not root's part to protect the user from himself. Teaching the user to do better would be enough. #4: Per Jessen (pjessen) (2011-10-25 18:02:24) (reply to #2) Sorry, but you are wrong - if a user does not lock his screen when he is a way from it, it exposes/endangers everything to which this user has access. Wrt teaching users - my experience tells me that it isn't possible and also rarely accepted accepted by a security auditor. #6: Ruediger Meier (rudi_m) (2011-10-25 18:56:30) (reply to #4)
[...] it exposes/endangers everything to which this user has access. That's exactly what I've said. It _only_ affects what the user has access too.
#7: Per Jessen (pjessen) (2011-10-25 19:11:41) (reply to #6) There is surely a reason why we give people passwords (namely to protect their data and privileges). Most users in an office environment will be trusted with data other than their own. Why protect all of that with a password if the user can just (accidentally or otherwise) leave it for everyone to peruse. #3: Marcus Meissner (msmeissn) (2011-10-25 08:30:41) This is something where a system wide (root modifyable) policy setting woiuld be used to either deny/allow users these changes. for openSUSE in homeuser setting, a good default but user-modifyable is sufficient in my eyes. -- openSUSE Feature: https://features.opensuse.org/312876
participants (1)
-
fate_noreply@suse.de