Re: More desktop security thoughts (was Re: GNOME privilege library)

From: Alan Cox <alan lxorguk ukuu org uk>
To: Havoc Pennington <hp redhat com>
Cc: Mike Hearn <mike navi cx>, desktop-devel-list gnome org
Subject: Re: More desktop security thoughts (was Re: GNOME privilege library)
Date: Sat, 15 Jan 2005 00:34:01 +0000

On Gwe, 2005-01-14 at 01:31, Havoc Pennington wrote:
> Think about it: why should anyone need two passwords? The system should
> know what each user is allowed to do based on the user's role. The user
> shouldn't have to explicitly change "who they are," that's just
> annoying.
> 

At a technical level for SELinux to work well it is critical that they
do change role. Whether that can be wrapped up out of the users sight is
the question. Probably.

  What about home desktop? Point one is that it isn't that different from
> a managed desktop. Office workers with sysadmins still need to be able
> to do a lot of things that traditionally require root on Linux:
> configure displays, plug in hardware devices, etc.

Depending on the office. There are many offices where plugging in a USB
stick is a firing offence.

> The hardest problem unique to home vs. office is that home users need
> capabilities to install software. I would argue that the user account
> should simply have the ability to run the software installer program
> (some part of which would run as root behind the scenes).

rpm is very bad at this and the kernel doesn't really deal with it well.
I don't know how we want the fs to work to make the behaviour right that
if user a installs OpenOrifice 3 then user b doesn't get inflicted on
them yet if they install the same thing its rather fast to install and
they end up with the same thing.

Its about file system magic

> Automatic security is the only security. Manual, user-pestering security
> is just engineers appeasing their own conscience without solving the
> problem. It's the "PEBKAC" answer to security. "Well, it *can* be used
> securely." The question should be, "*will* it be used securely and if
> not, what work do we have to do so it will be."

You forgot the all important "and if we automate it wrongly how does the
site admin correct the behaviour". Talk to any Windows sysadmin about
SP2 in a large complex environment and they'll tell you they are not
happy about the automated updating stuff. OTOH they are fairly happy
with the tools MS gave them to do something about it.

automated systems make mistake, complex automated systems develop all
kinds of unexpected behaviour as a result of policy interactions. System
theory shows these can be very hard to identify and sometimes
spectacularly destructive.

Follow-Ups:
- Re: More desktop security thoughts (was Re: GNOME privilege library)
  - From: Havoc Pennington
- Re: More desktop security thoughts (was Re: GNOME privilege library)
  - From: Sander Vesik

References:
- GNOME privilege library
  - From: Sean Middleditch
- More desktop security thoughts (was Re: GNOME privilege library)
  - From: Mike Hearn
- Re: More desktop security thoughts (was Re: GNOME privilege library)
  - From: Havoc Pennington

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]