[redhat-lspp] Re: newrole, UID change, etc
Stephen Smalley
sds at tycho.nsa.gov
Fri Apr 28 11:31:33 UTC 2006
On Thu, 2006-04-27 at 13:20 -0500, Klaus Weidner wrote:
> On Mon, Apr 24, 2006 at 04:08:46PM -0400, Stephen Smalley wrote:
> > On Sun, 2006-04-23 at 11:45 +1000, Russell Coker wrote:
> > > I have another idea. If a user is logged in with a context that permits
> > > changing role to sysadm_r, secadm_r, or auditadm_r then permit them to
> > > change to UID=0 with authentication against the root account.
> > >
> > > That way in the permissive mode and selinux=0 cases newrole would
> > > effectively be a version of su which can only change to the root
> > > account. As it would use the same PAM settings as su this would not be
> > > a problem.
> >
> > Remind me again why newrole followed by su isn't adequate? I really
> > don't think we want to re-merge uid changes with context changes.
>
> It's not just convenience, even though I think that's a usability
> concern. (Currently, a "su" without following newrole leaves you in a
> state not useful for any type of system administration.)
>
> The important needed feature is that you need to be able to implement
> separation of duties for human administrators, and (as far as I can tell)
> the current system doesn't enforce this properly. For example, consider
> two users "joe" and "bob", where "joe" is permitted to change to the
> "sysadm" role, and "bob" to the "secadm" role.
>
> Currently, both users would need to be a "staff" user and need to know
> the shared root password. Once they are root, they can newrole to any of
> the administrative roles. There needs to be a place where the permitted
> roles for the original (pre-su) user are stored and checked. (This is
> assuming that people don't log in as root directly.)
I'm not sure I follow. su no longer changes the context at all, so
su'ing doesn't alter the set of roles accessible to you - you are still
bound by the set of roles authorized for your SELinux user identity,
which didn't change upon su.
>
> There's no need for a separate password database, either the user's
> password or the root password could be used to authenticate the role
> change.
>
> -Klaus
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list