[redhat-lspp] LSPP Development Telecon 04/10/2006 Minutes
Stephen Smalley
sds at tycho.nsa.gov
Mon Apr 17 16:45:04 UTC 2006
On Mon, 2006-04-17 at 10:21 -0400, Steve Grubb wrote:
> On Monday 17 April 2006 09:24, Russell Coker wrote:
> > However audit administration requires root access, so now it seems to me
> > that we have a need for three accounts with UID==0, one for sysadm, one
> > for secadm, and one for auditadm.
>
> Accounts or roles ? :)
>
> > Are we really on the right track with this?
>
> I think so, but I also wonder if we need another password database for roles.
> For example, groups can have passwords. There may be situations where we need
> separate passwords for each of the roles.
>
> > If so we will need to get useradd changed to support creating such
> > accounts.
>
> Semanage should have functionality added to it for adding passwords to roles
> if we need it.
>
> Thoughts...
What is the value of passwords for roles? The policy already governs
the roles that each user can enter, so you don't need another
authorization mechanism like a password. The current prompting for a
password by newrole is just a weak mechanism for verifying user intent
(in the absence of a trusted path mechanism) to avoid trivial invocation
of newrole by malicious code unwittingly executed by the user in order
to move into one of his other authorized roles. Group passwords are an
authorization mechanism for entering a group without being in the group
list. But even with the "password" for a role, you shouldn't be able to
enter the role without being authorized by the policy, so it doesn't
seem to give you any benefit.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list