[redhat-lspp] Re: newrole, UID change, etc

Stephen Smalley sds at tycho.nsa.gov
Fri Apr 28 11:31:33 UTC 2006 

On Thu, 2006-04-27 at 13:20 -0500, Klaus Weidner wrote:
> On Mon, Apr 24, 2006 at 04:08:46PM -0400, Stephen Smalley wrote:
> > On Sun, 2006-04-23 at 11:45 +1000, Russell Coker wrote:
> > > I have another idea.  If a user is logged in with a context that permits
> > > changing role to sysadm_r, secadm_r, or auditadm_r then permit them to
> > > change to UID=0 with authentication against the root account.
> > > 
> > > That way in the permissive mode and selinux=0 cases newrole would
> > > effectively be a version of su which can only change to the root
> > > account.  As it would use the same PAM settings as su this would not be
> > > a problem.
> > 
> > Remind me again why newrole followed by su isn't adequate?  I really
> > don't think we want to re-merge uid changes with context changes.
> 
> It's not just convenience, even though I think that's a usability
> concern. (Currently, a "su" without following newrole leaves you in a
> state not useful for any type of system administration.)
> 
> The important needed feature is that you need to be able to implement
> separation of duties for human administrators, and (as far as I can tell)
> the current system doesn't enforce this properly. For example, consider
> two users "joe" and "bob", where "joe" is permitted to change to the
> "sysadm" role, and "bob" to the "secadm" role.
> 
> Currently, both users would need to be a "staff" user and need to know
> the shared root password. Once they are root, they can newrole to any of
> the administrative roles. There needs to be a place where the permitted
> roles for the original (pre-su) user are stored and checked. (This is
> assuming that people don't log in as root directly.)

I'm not sure I follow.  su no longer changes the context at all, so
su'ing doesn't alter the set of roles accessible to you - you are still
bound by the set of roles authorized for your SELinux user identity,
which didn't change upon su.

> 
> There's no need for a separate password database, either the user's
> password or the root password could be used to authenticate the role
> change.
> 
> -Klaus
-- 
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list