[opensuse] Should openSUSE review it's Security Policies?
As many are aware, Linus Torvalds has started a rant about the security policies in openSUSE for things that require the root password. From his Google+ post(https://plus.google.com/102150693225130002912/posts/1vyfmNCYpi5), he names these: Time Zone changes Adding a Printer Adding a wireless network. Now, I don't usually see the wireless issue because KNetworkmanager in KDE3(which I use) has never asked the root password for adding a new network. While at 37, I've never changed timezones(I lead a boring life) I would have to agree that having to use the root password for this would be annoying if I needed to change it because of a flight or something. I've worked with Linus on a hardware issue years ago, and I think we should probably at least consider reviewing the policies if they do need changed. Just my 2 cents. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Larry Stotler wrote:
As many are aware, Linus Torvalds has started a rant about the security policies in openSUSE for things that require the root password. From his Google+ post(https://plus.google.com/102150693225130002912/posts/1vyfmNCYpi5), he names these:
Time Zone changes Adding a Printer Adding a wireless network.
Those things should be set as a policy. Some companies like to lock down systems, where users can't chose anything, but they should not be mandatory, as appears to be the case. Certainly WiFi should be done by uses, unless a company wants to send a tech along with employees to hotels, coffee shops etc. There was a lot of discussion on this list a while ago and the general concensus was that requiring root for WiFi has to be one of the most idiotic decisions ever. As Linus mentioned, he doesn't want to have to follow his kids around, just so they can use WiFi. By comparison, I'm currently working on a project for a large insurance company and they provided me with a notebook computer for use while connected to their network. Everything is locked down, so that I can't add anything or make changes to the config etc., but they allow connection to public WiFi and even include a utility to make accessing public hot spots easier. This clearly illustrates the idiocy of the current root password for WiFi on openSUSE. Whoever dreamed up that one has clearly never worked in the real world, where employees are given a notebook to use elsewhere and expected to do so. Nor must they have kids with notebooks. As far as I'm concerned, such a decision should be a "firing offence". It is just flat out wrong, without any justification. By all means make it an option, configurable by root, but never, *EVER* mandatory, the way it is now. The way it is now, it simply defeats the point of wireless, when used on a corporate computer. If there was ever a bad decision, this is it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 2012-02-29 at 14:56 -0500, James Knott wrote: Add to that limiting network broadcasts to root. Lots of software uses this method to locate devices. For us this includes GigE Vision cameras, network lasers, and a host of measurement transducers. Being root for this has been a real PITA. -- Yours sincerely, Roger Oberholtzer OPQ Systems / Ramböll RST Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29.02.2012 20:56, James Knott wrote:
Larry Stotler wrote:
As many are aware, Linus Torvalds has started a rant about the security policies in openSUSE for things that require the root password. From his Google+ post(https://plus.google.com/102150693225130002912/posts/1vyfmNCYpi5), he names these:
Time Zone changes Adding a Printer Adding a wireless network.
Those things should be set as a policy. Some companies like to lock down systems, where users can't chose anything, but they should not be mandatory, as appears to be the case. Certainly WiFi should be done by uses, unless a company wants to send a tech along with employees to hotels, coffee shops etc. There was a lot of discussion on this list a while ago and the general concensus was that requiring root for WiFi has to be one of the most idiotic decisions ever. As Linus mentioned, he doesn't want to have to follow his kids around, just so they can use WiFi. By comparison, I'm currently working on a project for a large insurance company and they provided me with a notebook computer for use while connected to their network. Everything is locked down, so that I can't add anything or make changes to the config etc., but they allow connection to public WiFi and even include a utility to make accessing public hot spots easier. This clearly illustrates the idiocy of the current root password for WiFi on openSUSE. Whoever dreamed up that one has clearly never worked in the real world, where employees are given a notebook to use elsewhere and expected to do so. Nor must they have kids with notebooks. As far as I'm concerned, such a decision should be a "firing offence". It is just flat out wrong, without any justification. By all means make it an option, configurable by root, but never, *EVER* mandatory, the way it is now. The way it is now, it simply defeats the point of wireless, when used on a corporate computer.
If there was ever a bad decision, this is it.
Then I'd go with creating a request on openFATE or discuss it on factory (afaik it is already). On the other hand, I've seen three threads about this issue so far, just wondering, would this also get so much attention if I would rant about this instead of Linus? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Kim Leyendecker wrote:
Then I'd go with creating a request on openFATE or discuss it on factory (afaik it is already). On the other hand, I've seen three threads about this issue so far, just wondering, would this also get so much attention if I would rant about this instead of Linus?
I was aware of this issue before I read his comments. I have provided computer support in the corporate world and cannot imagine why anyone would decide requiring root password for WiFi was a good idea. In the corporate world, users do not generally get the root or admin password. This means they cannot take their notebook computer from work and use WiFi anywhere else, if that password is required. In the past couple of months, I have stayed at three hotels and used the hotel WiFi. If I needed admin password (the computer I was given runs Windows) to connect to the hotel's WiFi, I could not have had Internet access, which I required to do my work. This clearly illustrates why root password must not be mandatory. Make it optional if needed, but never manadatory. As for adding printers, how many people bring their work computers home and connect to their own printers? Again, with this insurance company project, I am expected to go to a site and connect to the local printer. How can I do that without the root (admin) password? I might allow time zone, as that can affect file access times, which can become a security issue. However, since Linux uses UTC (GMT) for file times, this issue only affects what the user sees on the computer and nothing else. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-02-29 21:20, James Knott wrote:
I might allow time zone, as that can affect file access times, which can become a security issue.
Not in Linux, it is not an issue. And you can choose the timezone in the CLI as plain user, no problem. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9Ok20ACgkQIvFNjefEBxoKyACeI+KRiq27WogUehV3hYh7xs6M nEcAoLIlSaCpYZwxqbuomYAs7YKDWURS =+6Vr -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wednesday 29 February 2012 15:20:19 James Knott wrote:
Kim Leyendecker wrote:
Then I'd go with creating a request on openFATE or discuss it on factory (afaik it is already). On the other hand, I've seen three threads about this issue so far, just wondering, would this also get so much attention if I would rant about this instead of Linus?
I was aware of this issue before I read his comments. I have provided computer support in the corporate world and cannot imagine why anyone would decide requiring root password for WiFi was a good idea.
I don't understand this issue - I've never been asked a password for WiFi on openSUSE... NetworkManager doesn't do that, afaik. Or is this a GNOME Shell issue?
In the corporate world, users do not generally get the root or admin password. This means they cannot take their notebook computer from work and use WiFi anywhere else, if that password is required. In the past couple of months, I have stayed at three hotels and used the hotel WiFi. If I needed admin password (the computer I was given runs Windows) to connect to the hotel's WiFi, I could not have had Internet access, which I required to do my work. This clearly illustrates why root password must not be mandatory. Make it optional if needed, but never manadatory. As for adding printers, how many people bring their work computers home and connect to their own printers? Again, with this insurance company project, I am expected to go to a site and connect to the local printer. How can I do that without the root (admin) password?
As I wrote before, the problem afaik was that the printer didn't have a driver installed. Installing drivers requires root password, installing a printer for which drivers are present does not. Afaik. I don't remember installing printers, I usually just connect the cable and the printer shows up in KDE application print dialogs...
I might allow time zone, as that can affect file access times, which can become a security issue. However, since Linux uses UTC (GMT) for file times, this issue only affects what the user sees on the computer and nothing else.
Changing the CLOCK TIMEZONE or the desktop timezone should not require a root password. It doesn't, in GNOME 2, XFCE, LXDE and KDE. In GNOME Shell 3.2 this was simply not implemented very well yet. Should be fixed in 3.4.
Jos Poortvliet wrote:
I don't understand this issue - I've never been asked a password for WiFi on openSUSE... NetworkManager doesn't do that, afaik.
In 12.1 configuring a new WiFi connection requires root password. Once it's been configured, it works without root password. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Mar 28, 2012 at 09:35:47PM -0400, James Knott wrote:
Jos Poortvliet wrote:
Changing the CLOCK TIMEZONE or the desktop timezone should not require a root password.
It does in 12.1.
The problem here was that the applet had timezone and time change as same privilege and not as split privileges. timezone changes basically are allowable for users, but time changes are "bad" as they void logfile integrity. This is GNOME 3 specific and Vincent opened a upstream bug already to split them again. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/03/12 17:06, Marcus Meissner wrote:
Jos Poortvliet wrote:
Changing the CLOCK TIMEZONE or the desktop timezone should not require a root password. It does in 12.1. The problem here was that the applet had timezone and time change as same
On Wed, Mar 28, 2012 at 09:35:47PM -0400, James Knott wrote: privilege and not as split privileges.
timezone changes basically are allowable for users, but time changes are "bad" as they void logfile integrity.
This is GNOME 3 specific and Vincent opened a upstream bug already to split them again.
Ciao, Marcus
I guess that this may be an opportune time to introduce the suggestion that perhaps there should be 2 separate mail list for general HELP: one titled KDE and the other GNOME. The other alternative is to ask people to always mention that they are using Gnome and that their question is do with the Gnome DE because most of the people in this list are KDE users and therefore always incorrectly assume that the question is to do with KDE and not Gnome. I know that there is a Gnome list as well as a KDE list but people have been conditioned to regard them as lists to talk about "development" problems about "yet to be released stuff" in Factory and Kernel. BC -- Why isn't there mouse-flavoured cat food? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 29 Mar 2012 17:36:15 +1100 Basil Chupin <blchupin@iinet.net.au> wrote:
I know that there is a Gnome list as well as a KDE list but people have been conditioned to regard them as lists to talk about "development" problems about "yet to be released stuff" in Factory and Kernel.
http://en.opensuse.org/openSUSE:Mailing_lists Lists opensuse-kde@opensuse.org and opensuse-gnome@opensuse.org are listed under topic lists, not development. opensuse@opensuse.org is actually for all openSUSE topics until there is reason to redirect, like people that are able to help don't frequent this list. Nice example would be question about development version which is discussed only on opensuse-factory. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am Samstag, 31. März 2012, 19:18:42 schrieb Brian K. White:
On 3/29/2012 2:36 AM, Basil Chupin wrote:
most of the people in this list are KDE users
That's fascinating. How do you divine this?
Simply by assuming the same statistical distribution applies to this list and the distro. KDE is the most often used DE among oS users and hence most users on this list are assumed to use KDE. The former was measured some time ago. Sven -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/04/12 10:41, Sven Burmeister wrote:
On 3/29/2012 2:36 AM, Basil Chupin wrote:
most of the people in this list are KDE users That's fascinating. How do you divine this? Simply by assuming the same statistical distribution applies to this list and
Am Samstag, 31. M�rz 2012, 19:18:42 schrieb Brian K. White: the distro.
KDE is the most often used DE among oS users and hence most users on this list are assumed to use KDE. The former was measured some time ago.
Sven Just in support of this:
http://www.muktware.com/survey/3444/poll-which-de-you-use BC -- Why isn't there mouse-flavoured cat food? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-04-01 08:54, Basil Chupin wrote:
Just in support of this:
Online polls are by definition biased. There is not a controlled sample population. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk94JtgACgkQIvFNjefEBxrFJwCfZIj5+n9ZMWD4qx0ZjepQWkJZ LFgAoM9Tn+L9AKHGcHhWUNbjKDhlhqSx =bCXz -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/01/2012 02:41 AM, Sven Burmeister wrote:
Am Samstag, 31. März 2012, 19:18:42 schrieb Brian K. White:
On 3/29/2012 2:36 AM, Basil Chupin wrote:
most of the people in this list are KDE users
That's fascinating. How do you divine this?
Simply by assuming the same statistical distribution applies to this list and the distro.
KDE is the most often used DE among oS users and hence most users on this list are assumed to use KDE. The former was measured some time ago.
Btw. Have a look at these numbers: http://news.opensuse.org/2011/11/19/opensuse-12-1-launch-feedback/ Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-04-02 08:37, Andreas Jaeger wrote:
On 04/01/2012 02:41 AM, Sven Burmeister wrote:
Btw. Have a look at these numbers:
http://news.opensuse.org/2011/11/19/opensuse-12-1-launch-feedback/
GNOME-LiveCD: 7392 KDE-LiveCD: 5561 So, most users are gnome users, not kde :-) - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk95krwACgkQIvFNjefEBxq2NwCaA/xznCduXIQSSf+TSSOHJzD2 g3YAn0ZtqfnDkUHRulwcQtivEqm8zN+t =ytCy -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Monday, April 02, 2012 13:51:24 Carlos E. R. wrote:
On 2012-04-02 08:37, Andreas Jaeger wrote:
On 04/01/2012 02:41 AM, Sven Burmeister wrote:
Btw. Have a look at these numbers:
http://news.opensuse.org/2011/11/19/opensuse-12-1-launch-feedback/
GNOME-LiveCD: 7392 KDE-LiveCD: 5561
So, most users are gnome users, not kde :-)
Yep, if you only cite some numbers and leave out the others, this is a perfect reasoning. Those are the 32-bit numbers. 64-bit x86-64 numbers: GNOME-LiveCD: 4031 KDE-LiveCD: 4378 Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Monday 02 Apr 2012 14:02:27 Andreas Jaeger wrote:
On Monday, April 02, 2012 13:51:24 Carlos E. R. wrote:
On 2012-04-02 08:37, Andreas Jaeger wrote:
On 04/01/2012 02:41 AM, Sven Burmeister wrote:
Btw. Have a look at these numbers:
http://news.opensuse.org/2011/11/19/opensuse-12-1-launch-feedback/
GNOME-LiveCD: 7392 KDE-LiveCD: 5561
So, most users are gnome users, not kde :-)
Yep, if you only cite some numbers and leave out the others, this is a perfect reasoning.
A priori, the higher number of GNOME i586 LiveCD downloads can be explained by our users' curiosity about the first openSUSE with a stable GNOME 3 on it, since this was the headline item in our release publicity, and (factoring out ethnic rivalries) the most interesting thing about 12.1. I would like to point out that we should be able to do a lot better than 90000 downloads total in the first 24 hours and quibbling about the desktop share of a four-figure fraction of that is a pitiful waste of this community's time, which would be better invested in making release publicity for 12.2, building up grassroots promotion channels and, dare I say it, engineering. Will -- Will Stephenson, openSUSE Board, Booster, KDE Developer SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-04-02 14:43, Will Stephenson wrote:
A priori, the higher number of GNOME i586 LiveCD downloads can be explained by our users' curiosity about the first openSUSE with a stable GNOME 3 on it, since this was the headline item in our release publicity, and (factoring out ethnic rivalries) the most interesting thing about 12.1.
It is possible. I would be curious about the numbers if 11.2 also offered CDs for other desktops.
I would like to point out that we should be able to do a lot better than 90000 downloads total in the first 24 hours and quibbling about the desktop share of a four-figure fraction of that is a pitiful waste of this community's time, which would be better invested in making release publicity for 12.2, building up grassroots promotion channels and, dare I say it, engineering.
Indeed :-) - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk95oTgACgkQIvFNjefEBxp6pwCfYfYGJb4n4jeYp0YoPshxNa5y B2MAoMq4WY8m1URJnozBg20g/6mW9L3Y =mjYp -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-04-02 14:02, Andreas Jaeger wrote:
On Monday, April 02, 2012 13:51:24 Carlos E. R. wrote:
So, most users are gnome users, not kde :-)
Yep, if you only cite some numbers and leave out the others, this is a perfect reasoning.
I know, that was intentional on my part. I wanted to tease a bit the kde fans O:-)
Those are the 32-bit numbers.
64-bit x86-64 numbers: GNOME-LiveCD: 4031 KDE-LiveCD: 4378
Even adding both 32 and 64 bits download, gnome wins. However, many more people downloaded the dvd, but here it is not possible to know what they install (I install both gnome and kde). - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk95oIUACgkQIvFNjefEBxqfhwCguRE9nFfB6BimV4XXpE5V03G1 60cAoK40Ur1eJvUK/dXpAwQ++aQzwY8c =tEyG -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, 2012-04-02 at 13:51 +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-04-02 08:37, Andreas Jaeger wrote:
On 04/01/2012 02:41 AM, Sven Burmeister wrote:
Btw. Have a look at these numbers:
http://news.opensuse.org/2011/11/19/opensuse-12-1-launch-feedback/
GNOME-LiveCD: 7392 KDE-LiveCD: 5561
So, most users are gnome users, not kde :-)
Or, First they downloaded and burned the image to CD, After booting it, they come to the conclusion, that something must have gne wrong during the download, so they download it again, and again... But the quality doesn't improve ;-))) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 28 Mar 2012 21:35:47 -0400 James Knott <james.knott@rogers.com> wrote:
It does in 12.1.
Not in KDE and default clock plasmoid. As a matter of fact you can cover desktop with clocks, one for each time zone. In other words don't generalize behavior of your favorite desktop. If you are not happy, it was your choice. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Rajko M. wrote:
It does in 12.1. Not in KDE and default clock plasmoid. As a matter of fact you can cover desktop with clocks, one for each time zone.
In other words don't generalize behavior of your favorite desktop.
If you are not happy, it was your choice.
KDE4 on 12.1. Right click on clock, select "Adjust Date and Time", try to change time zone without root password. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 29 Mar 2012 20:53:12 -0400 James Knott <james.knott@rogers.com> wrote:
KDE4 on 12.1. Right click on clock, select "Adjust Date and Time", try to change time zone without root password.
Yes, that one requires password as that is attempt to change default time zone for all computer users. I can understand confusion as naming "Adjust Date and Time" does not suggest any specific time setting; system wide (all users), single user, specific type of clock (digital, analog, binary), or just that clock. Fixing this is another topic for project mail list as it affects all desktops, their coexistence in the system and user experience. There are settings for particular clock: - Right click Digital Clock Settings (or Analog Clock Settings). - In window that opens click on Time Zones. - Select time zones of your liking. - Select from "Clock defaults to:" one that you want to see on that clock. - Click OK. Clock will show new time. No need for root password. Add as many clocks as you want and set to different defaults. If you want to have one time zone selection for all clocks on your desktop, you have to use same type of clock, either analog or digital. They don't share time zone list. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-02-29 20:56, James Knott wrote:
he names these:
Time Zone changes
You can change the timezone as user via CLI.
Certainly WiFi should be done by uses, unless a company wants to send a tech along with employees to hotels, coffee shops etc.
I worked for a company where wifi was strictly forbidden (they also employed antitempest windows). The issue was that wep encryption was weak. Now there is stronger encryption, but I don't see them allowing their employees to freely connect anywhere with the risk of choosing a nonencripted AP. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9OkvkACgkQIvFNjefEBxq0uQCeNmK+b9WI7fnDZnUsE2RIc8bq 26oAn34PRLrXGY//YbjZ+4NNDVNE/C39 =dzbf -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
Certainly WiFi should be done by
uses, unless a company wants to send a tech along with employees to hotels, coffee shops etc. I worked for a company where wifi was strictly forbidden (they also employed antitempest windows).
The issue was that wep encryption was weak. Now there is stronger encryption, but I don't see them allowing their employees to freely connect anywhere with the risk of choosing a nonencripted AP.
As I mentioned, the root or admin should be allowed to decide whether to allow it or not. As far as I can see, there's no practical way to change it. Also, if they don't want WiFi, the most secure way is to remove the drivers. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 29/02/2012 20:40, Larry Stotler a écrit :
As many are aware, Linus Torvalds has started a rant about the security policies
what about give sudo rights to his daugther? jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/29/2012 03:13 PM, jdd wrote:
Le 29/02/2012 20:40, Larry Stotler a écrit :
As many are aware, Linus Torvalds has started a rant about the security policies
what about give sudo rights to his daugther?
That was one of the suggestions in the google+ comments. -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 2012-02-29 at 15:22 -0500, Robert Schweikert wrote:
On 02/29/2012 03:13 PM, jdd wrote:
Le 29/02/2012 20:40, Larry Stotler a écrit :
As many are aware, Linus Torvalds has started a rant about the security policies
what about give sudo rights to his daugther?
That was one of the suggestions in the google+ comments.
sudo has the huge disadvantage that it opens up too much. The app can do anything root can, when perhaps it is a limited thing you want to allow. I think the issue is fine-grained permissions. -- Yours sincerely, Roger Oberholtzer OPQ Systems / Ramböll RST Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Roger Oberholtzer <roger@opq.se> [02-29-12 15:28]:
On Wed, 2012-02-29 at 15:22 -0500, Robert Schweikert wrote:
On 02/29/2012 03:13 PM, jdd wrote:
Le 29/02/2012 20:40, Larry Stotler a écrit :
As many are aware, Linus Torvalds has started a rant about the security policies
what about give sudo rights to his daugther?
That was one of the suggestions in the google+ comments.
sudo has the huge disadvantage that it opens up too much. The app can do anything root can, when perhaps it is a limited thing you want to allow.
No, sudo can only do that which root has allowed exceptions for sudo-user within /etc/sudoers. It can be very specific or widely general. Exceptions *can* be set for controlling the printer, installing software, connecting to wireless/wired access points, .............. -- (paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org openSUSE Community Member Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-02-29 21:34, Patrick Shanahan wrote:
* Roger Oberholtzer <roger@opq.se> [02-29-12 15:28]:
No, sudo can only do that which root has allowed exceptions for sudo-user within /etc/sudoers. It can be very specific or widely general. Exceptions *can* be set for controlling the printer, installing software, connecting to wireless/wired access points, ..............
True enough - but it is not simple, and impractical for a GUI. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9OlCAACgkQIvFNjefEBxrSMgCfWPgVuftW/HTlDqxhTtUkccq4 y70An0flQbgO7fGJ+Uqt7OjhABwbDoI+ =jTaH -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 2012-02-29 at 15:34 -0500, Patrick Shanahan wrote:
* Roger Oberholtzer <roger@opq.se> [02-29-12 15:28]:
On Wed, 2012-02-29 at 15:22 -0500, Robert Schweikert wrote:
On 02/29/2012 03:13 PM, jdd wrote:
Le 29/02/2012 20:40, Larry Stotler a écrit :
As many are aware, Linus Torvalds has started a rant about the security policies
what about give sudo rights to his daugther?
That was one of the suggestions in the google+ comments.
sudo has the huge disadvantage that it opens up too much. The app can do anything root can, when perhaps it is a limited thing you want to allow.
No, sudo can only do that which root has allowed exceptions for sudo-user within /etc/sudoers. It can be very specific or widely general. Exceptions *can* be set for controlling the printer, installing software, connecting to wireless/wired access points, ..............
Don't you mean it can only run the specific programs allowed? Then, as root, the allowed program can do whatever it wants. You cannot restrict it to certain things. Perhaps it is my own pet peeve about limiting network broadcasts to root that I am focusing on. That is a single thing I would like a user program to be able to do. I do not want full root access in the application for this. So if some device discovery / configuration tool is provided by an equipment supplier, I do not need to run it as root just so it can do an initial scan of what equipment is available. 99.999% of the task the app will do does not require root access. As the preferred interface for transducers drifts to ethernet, this is becoming a real big hassle. Yours sincerely, Roger Oberholtzer OPQ Systems / Ramböll RST Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Robert Schweikert wrote:
On 02/29/2012 03:13 PM, jdd wrote:
Le 29/02/2012 20:40, Larry Stotler a écrit :
As many are aware, Linus Torvalds has started a rant about the security policies
what about give sudo rights to his daugther?
That was one of the suggestions in the google+ comments.
I would expect he would know about that. However, if that's buried in network manager, then sudo might not be suitable. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-01 03:45, James Knott wrote:
Robert Schweikert wrote:
what about give sudo rights to his daugther?
That was one of the suggestions in the google+ comments.
I would expect he would know about that. However, if that's buried in network manager, then sudo might not be suitable.
It is not simple. It requires that sudoers be configured in a certain way (quite different than the current default as shipped) and then the network manager (or printer config or whatever) has to be implemented in a certain way. Sudo is an antique delegation method, not well suited for current day graphical apps. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9O48oACgkQIvFNjefEBxorOgCeLnbKUGVHXGH/Pp35Lc+Dbu6P gxgAoMy+qEu0Jtf+wgiaHztOKj2Mu1cT =Jn2m -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2/29/2012 6:49 PM, Carlos E. R. wrote:
It is not simple. It requires that sudoers be configured in a certain way (quite different than the current default as shipped) and then the network manager (or printer config or whatever) has to be implemented in a certain way.
Sudo is an antique delegation method, not well suited for current day graphical apps.
- -- Cheers / Saludos,
Well said. A mess to set up too. The current YAST configuration utility seems overly obtuse in an attempt to be capable of doing everything. A simpler check box list of tasks would be easier to set up. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-01 04:03, John Andersen wrote:
On 2/29/2012 6:49 PM, Carlos E. R. wrote:
A mess to set up too. The current YAST configuration utility seems overly obtuse in an attempt to be capable of doing everything. A simpler check box list of tasks would be easier to set up.
But that is complex to create. What tool do we have that allows that usage? I don't know, perhaps it is policy kit. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9O6TgACgkQIvFNjefEBxpOkQCgqOoZ5f5kCzZBF7xPfCQnWob7 YpwAoISbLIGuYiM/gxpIEtLPE1GrU9Ge =WCYX -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/29/2012 07:12 PM, Carlos E. R. wrote:
On 2012-03-01 04:03, John Andersen wrote:
On 2/29/2012 6:49 PM, Carlos E. R. wrote:
A mess to set up too. The current YAST configuration utility seems overly obtuse in an attempt to be capable of doing everything. A simpler check box list of tasks would be easier to set up.
But that is complex to create. What tool do we have that allows that usage? I don't know, perhaps it is policy kit.
Well, there are a few things that a user would commonly need to do. Some of these are already mentioned on this thread, printers wifi apply security updates certain connections to Windows networks maybe some mounting issues for odd things, phones, etc Run full Yast... maybe 4 or 5 things I haven't thought of... So you have a few things like this on a Yast page Named Common SUDO tasks, and you select the user, then check the items that user should get to use. Typically you'd give a young kid the ability to only to hook up to wifi, Maybe add a printer Then as they get older you allow them to apply updates Maybe run yast. So instead of being something so open ended as the current Yast SUDO setup, it would be much simpler. You could add tasks to the list using /etc/sysconfig if needed. The use case I see for this is more likely aimed at the corporate laptop, where you don't really want to bug the IT department every time there is a security patch to apply. -- Explain again the part about rm -rf / -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 29/02/2012 20:40, Larry Stotler a écrit :
Adding a Printer
the printer case can become a problem. Do you know many present printers (including extremely cheap one) have internet access? it's even possible to print at home from a remote location. security nightmare jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
the printer case can become a problem. Do you know many present printers (including extremely cheap one) have internet access? it's even possible to print at home from a remote location.
security nightmare
Security nightmare vs being able to do one's work. As I mentioned in another note, I am expected to go to various sites and use the local printer. A bit hard to do if I require root or admin password to do it. Many others take their computers home and use their own printers and WiFi. Should they tell their boss "Sorry I can't use my computer, because I need a password to use a printer and WiFi"? By all means, make it an option that's even turned on by default, but allow root to set it to what's required. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Feb 29, 2012 at 03:25:43PM -0500, James Knott wrote:
jdd wrote:
the printer case can become a problem. Do you know many present printers (including extremely cheap one) have internet access? it's even possible to print at home from a remote location.
security nightmare
Security nightmare vs being able to do one's work. As I mentioned in another note, I am expected to go to various sites and use the local printer. A bit hard to do if I require root or admin password to do it. Many others take their computers home and use their own printers and WiFi. Should they tell their boss "Sorry I can't use my computer, because I need a password to use a printer and WiFi"?
By all means, make it an option that's even turned on by default, but allow root to set it to what's required.
read my email. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marcus Meissner wrote:
By all means, make it an option that's even turned on by default, but
allow root to set it to what's required. read my email.
???? I haven't seen any other email from you on this. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 29/02/2012 21:25, James Knott a écrit :
and WiFi. Should they tell their boss "Sorry I can't use my computer, because I need a password to use a printer and WiFi"?
yes. and add give me a simple way to do the task: give me sudo printer group access jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thursday 01 Mar 2012 00:17:20 jdd wrote:
Le 29/02/2012 21:25, James Knott a écrit :
and WiFi. Should they tell their boss "Sorry I can't use my computer, because I need a password to use a printer and WiFi"?
yes. and add give me a simple way to do the task: give me sudo printer group access
jdd
jdd, Off topic question here. What email client are you using? Its just that every time you reply to the same subject, it starts a new thread in my kmail. I posted a question to KDEPIM about threading last week and asked why it doesn't always work. They said that some clients don't obey all the rules regarding information put into the email headers. regards Ian -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
ianseeks wrote:
On Thursday 01 Mar 2012 00:17:20 jdd wrote:
Le 29/02/2012 21:25, James Knott a écrit :
and WiFi. Should they tell their boss "Sorry I can't use my computer, because I need a password to use a printer and WiFi"?
yes. and add give me a simple way to do the task: give me sudo printer group access
jdd
jdd,
Off topic question here. What email client are you using? Its just that every time you reply to the same subject, it starts a new thread in my kmail.
It looks like jdd posted via gmane - threading works fine in knode though. The References: header looks good. -- Per Jessen, Zürich (5.9°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 01 Mar 2012 21:14:55 ianseeks wrote:
On Thursday 01 Mar 2012 00:17:20 jdd wrote:
...
Off topic question here. What email client are you using? Its just that every time you reply to the same subject, it starts a new thread in my kmail. ...
Threading of jdd's messages is OK in my kmail (1.13.6). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thursday 01 Mar 2012 22:46:22 michael@actrix.gen.nz wrote:
On Thu, 01 Mar 2012 21:14:55 ianseeks wrote:
On Thursday 01 Mar 2012 00:17:20 jdd wrote:
...
Off topic question here. What email client are you using? Its just that every time you reply to the same subject, it starts a new thread in my kmail. ...
Threading of jdd's messages is OK in my kmail (1.13.6).
i'm on Kmail 4.8.0 (according to the Help) but i presume its Kmail 2.?? jdd is not the only one where i get split threads. I can also get it with other people where it sometimes works okay and sometimes it creates a new thread. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Mar 01, 2012 at 12:17:20AM +0100, jdd wrote:
Le 29/02/2012 21:25, James Knott a écrit :
and WiFi. Should they tell their boss "Sorry I can't use my computer, because I need a password to use a printer and WiFi"?
yes. and add give me a simple way to do the task: give me sudo printer group access
Or edit the policy kit rights.... Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 29 Feb 2012 14:40:13 -0500, Larry Stotler wrote:
As many are aware, Linus Torvalds has started a rant about the security policies in openSUSE for things that require the root password. From his Google+ post(https://plus.google.com/102150693225130002912/posts/1vyfmNCYpi5), he names these:
Time Zone changes Adding a Printer Adding a wireless network.
Now, I don't usually see the wireless issue because KNetworkmanager in KDE3(which I use) has never asked the root password for adding a new network.
While at 37, I've never changed timezones(I lead a boring life) I would have to agree that having to use the root password for this would be annoying if I needed to change it because of a flight or something.
I've worked with Linus on a hardware issue years ago, and I think we should probably at least consider reviewing the policies if they do need changed.
Just my 2 cents.
I would tend to agree, but at the same time, security is always a tradeoff between convenience and security. The underlying issue seems to me to be twofold: 1. The default policies are thought, by some, to be too restrictive. 2. PolicyKit (which seems to be what enforces these sorts of things) doesn't appear to me to be very well documented, nor is there a good tool for modifying the policy should one wish to go with a less restrictive setup. It seems like what might be reasonable here is to (a) better document PolicyKit, (b) provide a tool for managing the policies, and (c) provide different security profiles at installation time that let the user decide at that point how they want to balance security and convenience. We need to make this discussion less about Linus' comments (poorly stated, but valid observations) and more about how we balance the security policy/policies. But I also understand there is a discussion going on about this on the opensuse-security list - it may well be redundant to have a discussion here on the -user list as well. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Feb 29, 2012 at 02:40:13PM -0500, Larry Stotler wrote:
As many are aware, Linus Torvalds has started a rant about the security policies in openSUSE for things that require the root password. From his Google+ post(https://plus.google.com/102150693225130002912/posts/1vyfmNCYpi5), he names these:
Time Zone changes Adding a Printer Adding a wireless network.
Now, I don't usually see the wireless issue because KNetworkmanager in KDE3(which I use) has never asked the root password for adding a new network.
While at 37, I've never changed timezones(I lead a boring life) I would have to agree that having to use the root password for this would be annoying if I needed to change it because of a flight or something.
I've worked with Linus on a hardware issue years ago, and I think we should probably at least consider reviewing the policies if they do need changed.
He should stop asking us to commit suicide first. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2/29/2012 1:14 PM, Marcus Meissner wrote:
On Wed, Feb 29, 2012 at 02:40:13PM -0500, Larry Stotler wrote:
As many are aware, Linus Torvalds has started a rant about the security policies in openSUSE for things that require the root password. From his Google+ post(https://plus.google.com/102150693225130002912/posts/1vyfmNCYpi5), he names these:
Time Zone changes Adding a Printer Adding a wireless network.
Now, I don't usually see the wireless issue because KNetworkmanager in KDE3(which I use) has never asked the root password for adding a new network.
While at 37, I've never changed timezones(I lead a boring life) I would have to agree that having to use the root password for this would be annoying if I needed to change it because of a flight or something.
I've worked with Linus on a hardware issue years ago, and I think we should probably at least consider reviewing the policies if they do need changed.
He should stop asking us to commit suicide first.
Ciao, Marcus
I think the entire point here is that the multi-user security model is not a good fit for a single user device like a laptop. For single user devices, permissions should really focus on preventing the user from destroying the system or letting it be compromised by others, but in other ways, allow them to do typical administrative tasks like add printers, wifi networks, removable storage, etc. I don't think you can dismiss Torvalds with a one-liner and come off looking anything but petty. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Feb 29, 2012 at 01:34:14PM -0800, John Andersen wrote:
On 2/29/2012 1:14 PM, Marcus Meissner wrote:
On Wed, Feb 29, 2012 at 02:40:13PM -0500, Larry Stotler wrote:
As many are aware, Linus Torvalds has started a rant about the security policies in openSUSE for things that require the root password. From his Google+ post(https://plus.google.com/102150693225130002912/posts/1vyfmNCYpi5), he names these:
Time Zone changes Adding a Printer Adding a wireless network.
Now, I don't usually see the wireless issue because KNetworkmanager in KDE3(which I use) has never asked the root password for adding a new network.
While at 37, I've never changed timezones(I lead a boring life) I would have to agree that having to use the root password for this would be annoying if I needed to change it because of a flight or something.
I've worked with Linus on a hardware issue years ago, and I think we should probably at least consider reviewing the policies if they do need changed.
He should stop asking us to commit suicide first.
Ciao, Marcus
I think the entire point here is that the multi-user security model is not a good fit for a single user device like a laptop.
For single user devices, permissions should really focus on preventing the user from destroying the system or letting it be compromised by others, but in other ways, allow them to do typical administrative tasks like add printers, wifi networks, removable storage, etc.
I don't think you can dismiss Torvalds with a one-liner and come off looking anything but petty.
read my other mail. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Feb 29, 2012 at 1:44 PM, Marcus Meissner <meissner@suse.de> wrote:
On Wed, Feb 29, 2012 at 01:34:14PM -0800, John Andersen wrote:
On 2/29/2012 1:14 PM, Marcus Meissner wrote:
On Wed, Feb 29, 2012 at 02:40:13PM -0500, Larry Stotler wrote:
As many are aware, Linus Torvalds has started a rant about the security policies in openSUSE for things that require the root password. From his Google+ post(https://plus.google.com/102150693225130002912/posts/1vyfmNCYpi5), he names these:
Time Zone changes Adding a Printer Adding a wireless network.
Now, I don't usually see the wireless issue because KNetworkmanager in KDE3(which I use) has never asked the root password for adding a new network.
While at 37, I've never changed timezones(I lead a boring life) I would have to agree that having to use the root password for this would be annoying if I needed to change it because of a flight or something.
I've worked with Linus on a hardware issue years ago, and I think we should probably at least consider reviewing the policies if they do need changed.
He should stop asking us to commit suicide first.
Ciao, Marcus
I think the entire point here is that the multi-user security model is not a good fit for a single user device like a laptop.
For single user devices, permissions should really focus on preventing the user from destroying the system or letting it be compromised by others, but in other ways, allow them to do typical administrative tasks like add printers, wifi networks, removable storage, etc.
I don't think you can dismiss Torvalds with a one-liner and come off looking anything but petty.
read my other mail.
Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
You are going to have many opinions on the level of security different systems need to have. Some are going to be very firm against any changes at all. All security should be able to be configured directly from YAST. The man-power may not be there to implement it in a complete form though. A user or administrator should be able to set the level of permissions once and forget it. Steven -- ____________ Steven L Hess ARS KC6KGE DM05gd22 Skype user flamebait Cell 661 487 0357 (Facetime) Google Voice 661 769 6201 openSUSE Linux 12.1 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 29 Feb 2012 22:14:09 +0100, Marcus Meissner wrote:
I've worked with Linus on a hardware issue years ago, and I think we should probably at least consider reviewing the policies if they do need changed.
He should stop asking us to commit suicide first.
Clearly he was frustrated in his experience. He ran into a problem, tried to get it addressed (apparently), and got frustrated with pushback he got (I've not read the relevant bug, so I'm inferring that from his comment on G+). Just because he expressed himself poorly doesn't mean he doesn't have a valid point, Marcus. We shouldn't ignore the point just because it was poorly expressed. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
did somebody yet notice that default install is with root passwd identical to user passwd? sure I never let this go through, but this solve definitively the problem jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 01 Mar 2012 00:23:02 +0100, jdd wrote:
did somebody yet notice that default install is with root passwd identical to user passwd?
Identical to the initial user password. On multiuser systems, the user passwords aren't all valid for root, obviously. :) Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 01/03/2012 00:33, Jim Henderson a écrit :
On Thu, 01 Mar 2012 00:23:02 +0100, jdd wrote:
did somebody yet notice that default install is with root passwd identical to user passwd?
Identical to the initial user password. On multiuser systems, the user passwords aren't all valid for root, obviously. :)
Jim
je use case was single user (linus daughter) jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 01 Mar 2012 09:21:46 +0100, jdd wrote:
Le 01/03/2012 00:33, Jim Henderson a écrit :
On Thu, 01 Mar 2012 00:23:02 +0100, jdd wrote:
did somebody yet notice that default install is with root passwd identical to user passwd?
Identical to the initial user password. On multiuser systems, the user passwords aren't all valid for root, obviously. :)
Jim
je use case was single user (linus daughter)
Sure, but in terms of overall security policy, single user isn't the only use case to be considered. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-01 00:23, jdd wrote:
did somebody yet notice that default install is with root passwd identical to user passwd?
sure I never let this go through, but this solve definitively the problem
Nope, that's the user that did the system setup and he is also the root, with same password or different. He will not give the root password to the rest of users. It is those users who have problems. And is no different in Windows, by the way. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9OtrwACgkQIvFNjefEBxrWfgCgvVB1RhWjKCwgEeAyBeDpq7vr IxwAoLjHsexEUNzx/sAKFU4k93aWqsXj =T7lb -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Feb 29, 2012 at 3:37 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-03-01 00:23, jdd wrote:
did somebody yet notice that default install is with root passwd identical to user passwd?
sure I never let this go through, but this solve definitively the problem
Nope, that's the user that did the system setup and he is also the root, with same password or different. He will not give the root password to the rest of users. It is those users who have problems.
And is no different in Windows, by the way.
- -- Cheers / Saludos,
Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAk9OtrwACgkQIvFNjefEBxrWfgCgvVB1RhWjKCwgEeAyBeDpq7vr IxwAoLjHsexEUNzx/sAKFU4k93aWqsXj =T7lb -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
This is easily configured the traditional way during set up. My single user system has user and root passwords. -- ____________ Steven L Hess ARS KC6KGE DM05gd22 Skype user flamebait Cell 661 487 0357 (Facetime) Google Voice 661 769 6201 openSUSE Linux 12.1 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Steven Hess wrote:
This is easily configured the traditional way during set up. My single user system has user and root passwords.
This is not a problem for me on my own computer, because I know both root and user passwords. However, in a corporate environment, you generally don't give users root access. As I mentioned, I was given a computer for use on an insurance company's network. It runs Windows 7 and I can use it with WiFi and connecting to new printers. If I had been given a computer running openSUSE 12.1, I would not be able to do my work. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-01 03:57, James Knott wrote:
Steven Hess wrote:
As I mentioned, I was given a computer for use on an insurance company's network. It runs Windows 7 and I can use it with WiFi and connecting to new printers. If I had been given a computer running openSUSE 12.1, I would not be able to do my work.
I can configure that Windows machine so that you can not do any of that. It is in fact the default config. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9O5mIACgkQIvFNjefEBxoUZgCdFq+qkjbN4dTwTW+vcupDfUxg Jf8AoMEhCymTEjidD1iPflJpKbmhO87r =9hD+ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
I can configure that Windows machine so that you can not do any of that. It is in fact the default config.
I have never needed admin password to use WiFi in Windows. I don't recall using one to set up a printer either. BTW, my own ThinkPad, which I normally run Linux on, came with Windows 7 Professional. Even though I run as a user, with Admin a separate account, I haven't need the admin password to set up a Wifi connection. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-01 04:11, James Knott wrote:
Carlos E. R. wrote:
I can configure that Windows machine so that you can not do any of that. It is in fact the default config.
I have never needed admin password to use WiFi in Windows.
Because you are already the administrator. In my windows machine I can't setup the wifi network or printer. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9O6YcACgkQIvFNjefEBxpS4wCgq96kJNduvuA/WcOB68vra7JF NHoAmwcGvB/P5ivlzZzFR0z84yh/TDWk =cuM/ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 2012-03-01 at 04:14 +0100, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-03-01 04:11, James Knott wrote:
Carlos E. R. wrote:
I can configure that Windows machine so that you can not do any of that. It is in fact the default config.
I have never needed admin password to use WiFi in Windows.
Because you are already the administrator. In my windows machine I can't setup the wifi network or printer.
- -- Cheers / Saludos,
Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAk9O6YcACgkQIvFNjefEBxpS4wCgq96kJNduvuA/WcOB68vra7JF NHoAmwcGvB/P5ivlzZzFR0z84yh/TDWk =cuM/ -----END PGP SIGNATURE----- I think we should default to the upstream (old) way. Its what is expected. Further, if we won't we need to make a graphical tool for editing policy kit that is GTK and qt/kde.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
I have never needed admin password to use WiFi in Windows. Because you are already the administrator. In my windows machine I can't setup the wifi network or printer.
Please read my other note, where I said I run as a user, with separate admin account. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
did somebody yet notice that default install is with root passwd identical to user passwd?
sure I never let this go through, but this solve definitively the problem
jdd
How does it solve the problem if an employer doesn't want to give employees root access, but expects them you be able to use WiFi? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 2012-02-29 at 21:53 -0500, James Knott wrote:
jdd wrote:
did somebody yet notice that default install is with root passwd identical to user passwd?
sure I never let this go through, but this solve definitively the problem
jdd
How does it solve the problem if an employer doesn't want to give employees root access, but expects them you be able to use WiFi?
Hmm. I use WiFi in three offices, hotels, home, and wherever. On KDE I set it up via network manager. I am never root for that. Same with wired connections. I think the problem is that network manager seems to have gone through a bad stretch where it could, in some updates, stop working. That, for wifi on openSUSE, is the issue. I do not know if the gnome equivalent has had such a seemingly turbulent recent history. Yours sincerely, Roger Oberholtzer OPQ Systems / Ramböll RST Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Roger Oberholtzer wrote:
How does it solve the problem if an employer doesn't want to give
employees root access, but expects them you be able to use WiFi? Hmm. I use WiFi in three offices, hotels, home, and wherever. On KDE I set it up via network manager. I am never root for that. Same with wired connections. I think the problem is that network manager seems to have gone through a bad stretch where it could, in some updates, stop working. That, for wifi on openSUSE, is the issue. I do not know if the gnome equivalent has had such a seemingly turbulent recent history.
In 12.1, you need root password to initially configure a WiFi connection. Once that's done, you can use it without root password. Earlier versions did not require root password to establish a connection. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 2012-03-01 at 07:59 -0500, James Knott wrote:
Roger Oberholtzer wrote:
How does it solve the problem if an employer doesn't want to give
employees root access, but expects them you be able to use WiFi? Hmm. I use WiFi in three offices, hotels, home, and wherever. On KDE I set it up via network manager. I am never root for that. Same with wired connections. I think the problem is that network manager seems to have gone through a bad stretch where it could, in some updates, stop working. That, for wifi on openSUSE, is the issue. I do not know if the gnome equivalent has had such a seemingly turbulent recent history.
In 12.1, you need root password to initially configure a WiFi connection. Once that's done, you can use it without root password. Earlier versions did not require root password to establish a connection.
Do you mean in YaST where you say you want it to be managed by ifup or by the user? Isn't that selectable when the OS in initially installed? If the installer person selects that it is to be controlled by the user, then that is that. We do our installs from OEM images we create with KIWI. There we have set the defaults so the installer person does not even have to get it right. But in the standard openSUSE installer, I really think this is available. I may be wrong. Yours sincerely, Roger Oberholtzer OPQ Systems / Ramböll RST Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Roger Oberholtzer wrote:
Do you mean in YaST where you say you want it to be managed by ifup or by the user? Isn't that selectable when the OS in initially installed? If the installer person selects that it is to be controlled by the user, then that is that.
The KDE network manager requires root password to configure a WiFi conntection. This means that when I try to use a new WiFi access point, I have to create the connection with the root password. On my own computer, this is not an issue, as I know the root password. In a corporate environment, it's a killer. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 2012-03-01 at 08:35 -0500, James Knott wrote:
Roger Oberholtzer wrote:
Do you mean in YaST where you say you want it to be managed by ifup or by the user? Isn't that selectable when the OS in initially installed? If the installer person selects that it is to be controlled by the user, then that is that.
The KDE network manager requires root password to configure a WiFi conntection. This means that when I try to use a new WiFi access point, I have to create the connection with the root password. On my own computer, this is not an issue, as I know the root password. In a corporate environment, it's a killer.
I have to check this at home tonight. Perhaps I whip out the root password without thinking. (Great security, that). But my feeling is that root access is only needed to set a new wireless interface (the bits in the laptop) to be ifup or user managed. After that, if user access was selected, the interface can connect to new access points under user control. Hmm. Yours sincerely, Roger Oberholtzer OPQ Systems / Ramböll RST Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Jim Henderson wrote:
On Wed, 29 Feb 2012 22:14:09 +0100, Marcus Meissner wrote:
I've worked with Linus on a hardware issue years ago, and I think we should probably at least consider reviewing the policies if they do need changed. He should stop asking us to commit suicide first.
Just because he expressed himself poorly doesn't mean he doesn't have a valid point, Marcus. We shouldn't ignore the point just because it was poorly expressed.
I think there may be a cultural issue here. If Linus and Marcus worked for a European company, Linus would be open to a disiplinary offence of harrassment. Marcus didn't ignore Linus' point. He simply asked to be treated with respect. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 2012-03-01 at 14:46 +0000, Dave Howorth wrote:
Jim Henderson wrote:
On Wed, 29 Feb 2012 22:14:09 +0100, Marcus Meissner wrote:
I've worked with Linus on a hardware issue years ago, and I think we should probably at least consider reviewing the policies if they do need changed. He should stop asking us to commit suicide first.
Just because he expressed himself poorly doesn't mean he doesn't have a valid point, Marcus. We shouldn't ignore the point just because it was poorly expressed.
I think there may be a cultural issue here. If Linus and Marcus worked for a European company, Linus would be open to a disiplinary offence of harrassment.
Luckily for Linus such things never happen in the far less bureaucratic US (where he is working) ;)
Marcus didn't ignore Linus' point. He simply asked to be treated with respect.
Although they say you attract more flies with honey than with vinegar, you collect even more with s**t. Hard to predict what gets any task done. Yours sincerely, Roger Oberholtzer OPQ Systems / Ramböll RST Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Feb 29, 2012 at 02:40:13PM -0500, Larry Stotler wrote:
As many are aware, Linus Torvalds has started a rant about the security policies in openSUSE for things that require the root password. From his Google+ post(https://plus.google.com/102150693225130002912/posts/1vyfmNCYpi5), he names these:
Time Zone changes Adding a Printer Adding a wireless network.
Now, I don't usually see the wireless issue because KNetworkmanager in KDE3(which I use) has never asked the root password for adding a new network.
While at 37, I've never changed timezones(I lead a boring life) I would have to agree that having to use the root password for this would be annoying if I needed to change it because of a flight or something.
I've worked with Linus on a hardware issue years ago, and I think we should probably at least consider reviewing the policies if they do need changed.
Hi, Let me address in the points - timezone changes he complains about GNOME 3 uses just 1 root service for both timezone and actual UNIX time changes. If it were split, we could allow timezone for users and only allow unix time for root. (There are split DBUS services already, just GNOME 3 uses yet another new one.) => It is a GNOME issue really. - adding a printer As it is already: * Adding a known USB printer : No popup, no query ... the printer will just start to work. * Adding a Network printer: depending on the computers "networked printer browsing" setup, will just work without interaction. * Adding a new not yet known printer: Difficult. If you even need a PPD file to set it up, or an external driver, allowing this is the equivalent of giving out root access. => Setting up printers is a hard task, and root privilege escalation is usually easy when you are allowed to do it. (I would also like to see it done on Windows 7 without Admin Password.) - NetworkManager 12.1 shipped with 0.9 NetworkManager which was very fresh off the press. Before 0.9 all WLAN connections were "user" based connections and did not change the system. 0.9 features now "system" and "user" based connections. The default is "system" connections, it was not even possible to select the "user" option. A "system" connection is too deep and should only be configurable by root in our eyes. Sadly, the UI frontends did not offer the selection to select "user" profiles, so it was necessary. Ludwig did quite some work on making the default more sane and it works now at Linus acceptance level I think. => NetworkManager and NM UI tools design issues make a secure and usable default hard. For all of those exists bugzilla entries. All of those need less help on the security side, but way more help on the implementation and design side in the User Interfaces, especially NetworkManager. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello List, Am 29.02.2012 22:23, schrieb Marcus Meissner: [...]
Hi,
Let me address in the points
[...]
- adding a printer
As it is already: * Adding a known USB printer : No popup, no query ... the printer will just start to work.
* Adding a Network printer: depending on the computers "networked printer browsing" setup, will just work without interaction.
* Adding a new not yet known printer: Difficult.
If you even need a PPD file to set it up, or an external driver, allowing this is the equivalent of giving out root access.
=> Setting up printers is a hard task, and root privilege escalation is usually easy when you are allowed to do it.
(I would also like to see it done on Windows 7 without Admin Password.)
[...] I have not jet searched for the other 'points'/'poorly expressed' wishes of the frustrated father in his last monthly/half-yearly ranting but there is a tread opened by an other user on printer/CUPS and rights management on the forum that is meant for features and changes to the distribution/project: openFATE #313287 Allow printer add and modification to users https://features.opensuse.org/313287 Regards Martin -- openSUSE profile: https://users.opensuse.org/show/pistazienfresser Martin Seidler KIRCHSTR. 11, 65843 SULZBACH (TAUNUS) FON (priv.): +49 6196 40 20 283 Ø FON (comm.): +49 6196 59 236 23 Ø FAX: +49 6196 59 236 24 Ø -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 29.02.2012 22:23, schrieb Marcus Meissner: [...]
Hi,
Let me address in the points
[...]
- NetworkManager
12.1 shipped with 0.9 NetworkManager which was very fresh off the press.
Before 0.9 all WLAN connections were "user" based connections and did not change the system.
0.9 features now "system" and "user" based connections.
The default is "system" connections, it was not even possible to select the "user" option. A "system" connection is too deep and should only be configurable by root in our eyes.
Sadly, the UI frontends did not offer the selection to select "user" profiles, so it was necessary.
Ludwig did quite some work on making the default more sane and it works now at Linus acceptance level I think.
=> NetworkManager and NM UI tools design issues make a secure and usable default hard.
I do not know if I understood it the right way but to me that 'point' and the (possible?/wanted?) solution looks very alike to: openFATE #305657 finer grained PolicyKit support for Networkmanager https://features.opensuse.org/305657 Regards Martin -- openSUSE profile: https://users.opensuse.org/show/pistazienfresser Martin Seidler KIRCHSTR. 11, 65843 SULZBACH (TAUNUS) FON (priv.): +49 6196 40 20 283 Ø FON (comm.): +49 6196 59 236 23 Ø FAX: +49 6196 59 236 24 Ø -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, Mar 18, 2012 at 04:58:11PM +0100, Martin Seidler wrote:
Am 29.02.2012 22:23, schrieb Marcus Meissner: [...]
Hi,
Let me address in the points
[...]
- NetworkManager
12.1 shipped with 0.9 NetworkManager which was very fresh off the press.
Before 0.9 all WLAN connections were "user" based connections and did not change the system.
0.9 features now "system" and "user" based connections.
The default is "system" connections, it was not even possible to select the "user" option. A "system" connection is too deep and should only be configurable by root in our eyes.
Sadly, the UI frontends did not offer the selection to select "user" profiles, so it was necessary.
Ludwig did quite some work on making the default more sane and it works now at Linus acceptance level I think.
=> NetworkManager and NM UI tools design issues make a secure and usable default hard.
I do not know if I understood it the right way but to me that 'point' and the (possible?/wanted?) solution looks very alike to:
openFATE #305657 finer grained PolicyKit support for Networkmanager https://features.opensuse.org/305657
This is a bit different... We have started an effort to review such usecases internally now between Andreas Jaeger and the security team. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wednesday 29 February 2012 14:40:13 Larry Stotler wrote:
As many are aware, Linus Torvalds has started a rant about the security policies in openSUSE for things that require the root password. From his Google+ post(https://plus.google.com/102150693225130002912/posts/1vyfmNCYpi5), he names these:
Time Zone changes Adding a Printer Adding a wireless network.
Now, I don't usually see the wireless issue because KNetworkmanager in KDE3(which I use) has never asked the root password for adding a new network.
While at 37, I've never changed timezones(I lead a boring life) I would have to agree that having to use the root password for this would be annoying if I needed to change it because of a flight or something.
I've worked with Linus on a hardware issue years ago, and I think we should probably at least consider reviewing the policies if they do need changed.
They are being reconsidered. Heck, some have been changed already, and others might. Also, Linus is not always right - some of the things he complained about were not oS' fault but GNOME Shell (which can't decouple changing timezones for the clock of a single user vs from changing time systemwide) and lacking printer drivers (if you don't have the printer driver you need a root password to install one). /Jos
Just my 2 cents.
Jos Poortvliet wrote:
They are being reconsidered. Heck, some have been changed already, and others might. Also, Linus is not always right - some of the things he complained about were not oS' fault but GNOME Shell (which can't decouple changing timezones for the clock of a single user vs from changing time systemwide) and lacking printer drivers (if you don't have the printer driver you need a root password to install one).
He was certainly right about the Wifi and printer config. Just today, I was at a customer site and had to set up my computer to use their printer. I couldn't have done it as a mere mortal user with openSUSE 12.1. I could as a regular user in Windows. I have expressed my opinion on WiFi earlier. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/28/2012 07:04 PM, James Knott wrote:
Jos Poortvliet wrote:
They are being reconsidered. Heck, some have been changed already, and others might. Also, Linus is not always right - some of the things he complained about were not oS' fault but GNOME Shell (which can't decouple changing timezones for the clock of a single user vs from changing time systemwide) and lacking printer drivers (if you don't have the printer driver you need a root password to install one).
He was certainly right about the Wifi and printer config. Just today, I was at a customer site and had to set up my computer to use their printer. I couldn't have done it as a mere mortal user with openSUSE 12.1. I could as a regular user in Windows.
What if the appropriate printer driver isn't already on the system? Are you implying that you are OK with installing printer driver packages as user? IMHO a lot of people will have an issue with that. How do you then differentiate the printer driver package form other packages? I am not saying there may not be an issue. But, just saying users should be able to configure any printer simplifies things just a tat too much. WiFi is different as the firmware package for the machine will be pulled in at install time, no additional install needed later. Later, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/28/12 19:55, Robert Schweikert pecked at the keyboard and wrote:
On 03/28/2012 07:04 PM, James Knott wrote:
Jos Poortvliet wrote:
They are being reconsidered. Heck, some have been changed already, and others might. Also, Linus is not always right - some of the things he complained about were not oS' fault but GNOME Shell (which can't decouple changing timezones for the clock of a single user vs from changing time systemwide) and lacking printer drivers (if you don't have the printer driver you need a root password to install one).
He was certainly right about the Wifi and printer config. Just today, I was at a customer site and had to set up my computer to use their printer. I couldn't have done it as a mere mortal user with openSUSE 12.1. I could as a regular user in Windows.
What if the appropriate printer driver isn't already on the system? Are you implying that you are OK with installing printer driver packages as user? IMHO a lot of people will have an issue with that. How do you then differentiate the printer driver package form other packages?
I am not saying there may not be an issue. But, just saying users should be able to configure any printer simplifies things just a tat too much.
WiFi is different as the firmware package for the machine will be pulled in at install time, no additional install needed later.
Later, Robert
And in the case of a "printer driver" it usually means nothing more then supplying a PPD file to the config setup. Just how fracking paranoid are we getting? -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Mar 28, 2012 at 08:09:23PM -0400, Ken Schneider - openSUSE wrote:
On 03/28/12 19:55, Robert Schweikert pecked at the keyboard and wrote:
On 03/28/2012 07:04 PM, James Knott wrote:
Jos Poortvliet wrote:
They are being reconsidered. Heck, some have been changed already, and others might. Also, Linus is not always right - some of the things he complained about were not oS' fault but GNOME Shell (which can't decouple changing timezones for the clock of a single user vs from changing time systemwide) and lacking printer drivers (if you don't have the printer driver you need a root password to install one).
He was certainly right about the Wifi and printer config. Just today, I was at a customer site and had to set up my computer to use their printer. I couldn't have done it as a mere mortal user with openSUSE 12.1. I could as a regular user in Windows.
What if the appropriate printer driver isn't already on the system? Are you implying that you are OK with installing printer driver packages as user? IMHO a lot of people will have an issue with that. How do you then differentiate the printer driver package form other packages?
I am not saying there may not be an issue. But, just saying users should be able to configure any printer simplifies things just a tat too much.
WiFi is different as the firmware package for the machine will be pulled in at install time, no additional install needed later.
Later, Robert
And in the case of a "printer driver" it usually means nothing more then supplying a PPD file to the config setup.
Just how fracking paranoid are we getting?
You are aware that PPD files can contain shell code snippets (to call filters)? :) Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (28)
-
Andreas Jaeger -
Basil Chupin -
Brian K. White -
Carlos E. R. -
Dave Howorth -
Hans Witvliet -
ianseeks -
James Knott -
jdd -
Jim Henderson -
John Andersen -
Jos Poortvliet -
jsa
-
Ken Schneider - openSUSE -
Kim Leyendecker -
Larry Stotler -
Marcus Meissner -
Martin Seidler -
michael@actrix.gen.nz -
Patrick Shanahan -
Per Jessen -
Rajko M. -
Robert Schweikert -
Roger Luedecke -
Roger Oberholtzer -
Steven Hess -
Sven Burmeister -
Will Stephenson