[redhat-lspp] LSPP Development Telecon 04/10/2006 Minutes
Russell Coker
rcoker at redhat.com
Mon Apr 17 20:45:23 UTC 2006
On Mon, 2006-04-17 at 10:59 -0400, Steve Grubb wrote:
> > > > However audit administration requires root access, so now it seems to
> > > > me that we have a need for three accounts with UID==0, one for sysadm,
> > > > one for secadm, and one for auditadm.
> > >
> > > Accounts or roles ? :)
> >
> > So far we only have the option of passwords on accounts.
>
> Right...but we could add another database if its truly needed to solve the
> problem.
True, but it's something that will take great consideration.
> > > I think so, but I also wonder if we need another password database for
> > > roles. For example, groups can have passwords. There may be situations
> > > where we need separate passwords for each of the roles.
> >
> > So you are suggesting something like the following:
> > login: root:staff_r:staff_t - password A.
> > newrole -r secadm_r - password B
> > newrole -r sysadm_r - password C
> > newrole -r auditadm_r - password D
> >
> > login: root:secadm_r:secadm_t - password B I guess?
>
> No quite. I'm thinking of logging in as root which gets the default role
> sysadm_r. roots password is sufficient for this. Then use newrole to change
> to secadm_r or auditadm_r, which will prompt for a role's password.
The difference between what you are thinking of and what I am thinking
of in this regard seems to be the default role.
We made sshd not be permitted to enter sysadm_r a couple of years ago
when it was suspected that there might be an exploitable bug in sshd.
With the addition of secadm_r in the MLS policy we may be able to change
this without weakening security.
> newrole
> (via pam) will query the role password database.
Is this feasible? The current PAM system is based around passwords
being based on Unix account names. It seems to me that unless we have a
bunch of dummy Unix accounts (one per role) we won't be able to force
role passwords to fit into PAM.
> > Also where would we store such role passwords? /etc/rshadow?
>
> Possibly. I think we should determine if this is desirable and necessary
> first. I have a feeling it is, but Klaus is a better judge of that.
I have a feeling that we need something along these lines, but your
suggestion doesn't seem to quite match the needs.
I'll spend some time working on this and send some mail to the list. I
might need to spend a couple of days working on this.
More information about the redhat-lspp
mailing list