[redhat-lspp] Re: newrole, UID change, etc
Klaus Weidner
klaus at atsec.com
Thu Apr 27 18:20:34 UTC 2006
On Mon, Apr 24, 2006 at 04:08:46PM -0400, Stephen Smalley wrote:
> On Sun, 2006-04-23 at 11:45 +1000, Russell Coker wrote:
> > I have another idea. If a user is logged in with a context that permits
> > changing role to sysadm_r, secadm_r, or auditadm_r then permit them to
> > change to UID=0 with authentication against the root account.
> >
> > That way in the permissive mode and selinux=0 cases newrole would
> > effectively be a version of su which can only change to the root
> > account. As it would use the same PAM settings as su this would not be
> > a problem.
>
> Remind me again why newrole followed by su isn't adequate? I really
> don't think we want to re-merge uid changes with context changes.
It's not just convenience, even though I think that's a usability
concern. (Currently, a "su" without following newrole leaves you in a
state not useful for any type of system administration.)
The important needed feature is that you need to be able to implement
separation of duties for human administrators, and (as far as I can tell)
the current system doesn't enforce this properly. For example, consider
two users "joe" and "bob", where "joe" is permitted to change to the
"sysadm" role, and "bob" to the "secadm" role.
Currently, both users would need to be a "staff" user and need to know
the shared root password. Once they are root, they can newrole to any of
the administrative roles. There needs to be a place where the permitted
roles for the original (pre-su) user are stored and checked. (This is
assuming that people don't log in as root directly.)
There's no need for a separate password database, either the user's
password or the root password could be used to authenticate the role
change.
-Klaus
More information about the redhat-lspp
mailing list