[opensuse-security] Re: [opensuse-gnome] Timezone and printer settings too restrictive by default
On Tue, 28 Feb 2012, Bryen M Yunashko wrote:
And the time issue isn't just about timezones, but also about changing time itself and/or syncing up to NTP. And from an administrated-machine standpoint, there may be reasons why we don't want our users to fiddle with the clock itself.
Oh, I get the part about the clock. However, I am not suggesting the user shall change time or date, I am focusing on timezone here. If this requires the same set of privileges, the security design may be in need to some love and care. I'm also fine having a more liberal default when the underlying device is detected to be portable (notebook, tablet,...). Just treating Daniela's or "significant other"'s notebook like one of those multi-user UNIX servers in the old days does not make sense. Those could not be hauled around nearly as easy to begin with. :-)
As for printers... I see the issue being installation of drivers. If we're setting up a printer which has a driver already installed on the machine, then no, password should not be required like that.
Great, we agree on that.
But if setting up the printer means downloading the driver... then it should be treated the same way as any other software installation which requires system authentication.
And I can agree on that. Installation of new software, not yet on
the systems or authorized somehow (for example, Linus could have
put all acceptable drivers somewhere on the machine for the system
to pick up in case of need) is a different beast.
Let's focus on the simple cases for now: Timezone (not clock)
and printers (no new drivers).
Gerald
--
Dr. Gerald Pfeifer
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-02-29 00:36, Gerald Pfeifer wrote:
Oh, I get the part about the clock. However, I am not suggesting the user shall change time or date, I am focusing on timezone here. If this requires the same set of privileges, the security design may be in need to some love and care.
I don't see what problem there could be about changing one's timezone. In the CLI you can do that as user, because you are not changing the system clock. It is just your own environment variables, you can change any. If gnome doesn't allow it, then it is indeed a bug. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9NgSMACgkQIvFNjefEBxpOGQCgz6h6UypruQd6XbFoAqkRIR7M i+sAnjguDH10Y6juJfX1O+lI1Qst5WC0 =BYO1 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Hello, On Feb 29 00:36 Gerald Pfeifer wrote (excerpt):
On Tue, 28 Feb 2012, Bryen M Yunashko wrote:
As for printers... I see the issue being installation of drivers. If we're setting up a printer which has a driver already installed on the machine, then no, password should not be required like that.
Great, we agree on that.
Of course it is not as easy as you think. Your current point of view "printer setup on my own machine" does not apply in any case. In corporate environments where an admin maintains the workstations it is usually not wanted that users can change how workstations print because this can cause printing security issues in the whole network, see "print job phishing" at http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
But if setting up the printer means downloading the driver... then it should be treated the same way as any other software installation which requires system authentication.
And I can agree on that. Installation of new software, not yet on the systems or authorized somehow (for example, Linus could have put all acceptable drivers somewhere on the machine for the system to pick up in case of need) is a different beast.
For you current use case "printer setup on my own machine" why shold the user not also install a driver on his own machine? More and more printers require a driver from the manufacturer. In particular low-level printers which are of major interest for the use case "printer setup on my own machine". Of course long ago I had aready filed a matching FATE request https://features.opensuse.org/307745 but nobody - in particular nobody of the management - cares. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Wed, 29 Feb 2012, Johannes Meixner wrote:
In corporate environments where an admin maintains the workstations it is usually not wanted that users can change how workstations print because this can cause printing security issues in the whole network, see "print job phishing"
In corporate environments where an admin maintains the workstations, said admins can easily increase whatever security levels she desires to increase. A vanilla openSUSE installation is not exactly most common in such environments. It's a lot more common, as we see every day, in those cases Linus and me are concerned about. (In fact, a couple of SUSE employees contacted me in the last 24 hours indicating "Yes, I do have the root password, but this really has annoyed me all the time.")
Of course long ago I had aready filed a matching FATE request https://features.opensuse.org/307745 but nobody - in particular nobody of the management - cares.
I am sorry your request did not get picked up for openSUSE. As far as
all SUSE products go, indeed I am (Mr. Product) Management. openSUSE is
not a SUSE product, though, and there I am just a lowly contributor like
everyone else. :-) With a bit of influence, admittedly, in suggesting
what SUSE engineering teams contribute to openSUSE, but not in the
sense of classic (product) management.
Gerald
--
Dr. Gerald Pfeifer
participants (3)
-
Carlos E. R.
-
Gerald Pfeifer
-
Johannes Meixner