Root access removed
Lamar Owen
lowen at pari.edu
Tue May 11 15:34:56 UTC 2004
On Tuesday 11 May 2004 05:54, Ben Stringer wrote:
> It may be his memstick, but when it is mounted, it becomes one of the
> filesystems available to the operating system. If a user decided they
> wanted their memory stick to mount somewhere under "/etc", they could
> simply subvert system security, controls or existing configuration. This
> is why a mount should require system authorisation. This is fundamental
> security and trading it off for convenience is just that - a trade-off.
> It is your decision - just be sure you are aware of what you sacrifice
> for the convenience.
So then why should I as a user not be allowed to mount under my home
directory? This is something that SELinux will help with, I think. I can
then set a policy to allow me to mount a filesystem under my home (but not
anywhere else!). Is this not the solution?
Likewise, for CD burning it is necessary to be very careful. CD and DVD
burning require a very low-level access to the drive; low enough of a level
to be able to flash the drive's firmware, even. Well, the current k3b setup
with FC2 does not require root access. I simply burn the CD/DVD just like as
in windows from my ordinary user.
Changing network settings is another place, but even under Windows XP you are
limited as a normal user what you can do in networking. But there are some
things that you CAN do, like setting up a dialup networking connection. I
should not have to have the root password to set up a personal DUN/PPP
connection, and the config files for my personal connection should not reside
in /etc/sysconfig. There are things that should belong to the individual
users, and not to the system. WinXP allows you to specify that for DUN
connections: make it available to all users on the machine or keep it
private. I'd LOVE to see user-private PPP connections for my kids' PC, so
that my wife can connect without needing a password, for instance, but my
kids cannot, and they can even use different connection profiles, etc.
But at the same time I as a a multiuser sysadmin (or even in administering
laptops) should be able to configure to disallow those sorts of things: I
might need to require my laptop users (who are using company equipment) to
use OUR dialup, and disallow any changes. Something like Windows Policy
Editor allows for that; SELinux should be able to handle all that easily, if
the policies are set up properly.
It is a fine line between things that belong to the system (and require root)
and things that belong to the user. The statement being made, as I
understand it, is that more needs to belong to the user and less to the
system, where that does not compromise system-level security. But, at the
same time, there are users whose systems DO NOT NEED what I would consider
minimal security. The example given is one of those situations.
So, I'd like to see a 'Power User' setting available for SELinux that would
allow many things that would not compromise network-connected security to be
done by ordinary users, like mounting a filesystem under their home (given
that they have permissions to mount that filesystem; you don't want remounts
of / or /boot, for instance).
--
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC 28772
(828)862-5554
www.pari.edu
More information about the fedora-list
mailing list