Re: root password considered harmful, and other security policies. (was Re: Torvalds:requiring root password for mundane things is moronic
On Wed, 2012-03-07 at 11:05 -0800, Scott Doty wrote: /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf Regarding this situation: turns out that if system-config-printer doesn't establish proper contact with cups-pk-helper, it will fall back to a mode that pops up the root password dialogue. Some more about this: what you are actually seeing is the IPP authentication dialog, i.e. the same authentication mechanism you would use if cups-pk-helper were not installed or if you were configuring a remote CUPS server. Although the default username that s-c-printer puts in there is root, that's just because CUPS requires the root user for remote admin. CUPS can be configured to allow e.g. anyone in the wheel group to admin instead. It's not clear whether I should make that configuration change or not. It's also not clear what the policy for this is, or who to ask, or whether anyone actually has any clear overview of what the security policies are for Fedora and how that might differ in each spin etc. The FESCo ticket that was opened on my behalf was based on the idea that we were confronting a policy decision, not bugs -- and the idea was to have whomever reviews security policy do a review of these password dialogues to see if any could be eliminated, esp. the root password dialogue that kicked off this issue. There is a Privilege escalation policy that can be found here: http://fedoraproject.org/wiki/Privilege_escalation_policy ...except that the primary author of that document told me this month that it is only a draft and can be ignored¹. In any case it seems to make no distinction between a user logged in remotely and one sat in front of the machine. In that document you can clearly see where the current cups-pk-helper policy came from, especially here: * Add, remove, or downgrade any system-wide application or shared resource (packaged or otherwise) Tim. */ ¹ https://bugzilla.redhat.com/show_bug.cgi?id=596711#c16 signature.asc Description: This is a digitally signed message part -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: root password considered harmful, and other security policies. (was Re: Torvalds:requiring root password for mundane things is moronic
On Thu, 2012-03-08 at 15:37 +0100, Miloslav Trmač wrote: On Thu, Mar 8, 2012 at 10:33 AM, Tim Waugh twa...@redhat.com wrote: http://fedoraproject.org/wiki/Privilege_escalation_policy ...except that the primary author of that document told me this month that it is only a draft and can be ignored¹. It was actually approved by FESCo about two years ago: Given my area of interest I probably should have known the status by heart, I'm afraid I didn't. Yeah, sorry about that, Tim. Given the amount of hard liquor consumption required by QA, it's never a good idea to rely on my memory. History of that page shows that it is, indeed, a live policy, and went out of draft on 16 Feb 2010. I somehow contrived to entirely forget about that. Still, it's a policy, and policies can be changed if we want to change them. I have no strong attachment to the specifics of the current policy, if my opinion counts for anything. Please do propose improvements where appropriate. Now, what did I come in here for? And where did I put my socks? -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Tue, Mar 6, 2012 at 5:58 AM, Chris Murphy li...@colorremedies.com wrote: On Mar 5, 2012, at 8:37 PM, Chuck Anderson wrote: On Mon, Mar 05, 2012 at 08:35:11PM -0700, Chris Murphy wrote: passwd keeps complaining The password fails the dictionary check - it is too simplistic for fake words NOT in the dictionary but otherwise too simple for passwd's approval system. I think you can just ignore passwd's warning in this case, it doesn't stop you from going ahead and using the simple password (unless something changed in F17). Aha. So if I use passwd with liveuser, it says after three tries: passwd: Have exhausted maximum number of retries for service And does not change the passwd. But if I su to root, it still complains once, but does change the password after the Retype entry. NEVERTHELESS. It's idiotic babysitting. And stupid that I need root to do this mundane task. I wonder how many developer man hours were required for this functionality. UNIX didn't have these defaults originally; they were added in the 90's only after real-world experience has shown that these policies are necessary (and they have been pretty much unchanged for the last 10-15 years, AFAIK). Yes, we can fiddle with the tuning, but there's no way to make everybody happy all the time. root can always change the policy in /etc/pam.d/system-auth. (and FWIW, regarding the hullop130 password, a quick grep shows that hullo is in the dictionary, and cracklib may have additional rules or ways to arrive at the password from a different dictionary word). Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
root password considered harmful, and other security policies. (was Re: Torvalds:requiring root password for mundane things is moronic
On 03/05/2012 07:13 AM, Scott Doty wrote: On 03/02/2012 04:16 AM, Tim Waugh wrote: Yes, it's a policy. Also see this bug which I filed nearly two years ago on just this subject: https://bugzilla.redhat.com/show_bug.cgi?id=596711 Tim. */ New bug report filed: security policy: root password needed when it shouldn't be. https://bugzilla.redhat.com/show_bug.cgi?id=799988 /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf Regarding this situation: turns out that if system-config-printer doesn't establish proper contact with cups-pk-helper, it will fall back to a mode that pops up the root password dialogue. In one case, this was an SELinux issue, where the root dialogue would show up until setenforce 0. In my case here: http://ponzo.net/PolKit-printer/ I didn't have SELinux enabled, but I suspect foul play from the firewall. (I haven't had a chance to birddog this any further, as I'm recovering from the worst cold I've ever had in my life -- energy has been waxing and waining.) But regarding the security _policy_ for adding the networked printer: it is fine. When everything is working as it is supposed to, and the user is in the wheel group, there is no query for the root password. It was subtle bugs in the implementation that we were up against. * * * There is another matter -- regarding Fedora security policy itself. There doesn't seem to be one except an implicit BCP, as implemented in each package. If anything, a policy document would have helped in this case, because the upstream for cups-pk-helper had said that this was a Fedora policy issue...it would have been handy to visit a policy document and see that folks in the wheel group should be able to add printers without root authentication. Additionally, it would have been helpful to know that the system had been tested, and worked, as stated in the policy. There was some confusion about whether or not asking for the root password was a limitation in the implementation. (As it turns out, the system was falling back to a mode that required the root password, after failing to carry out the policy via cups-pk-helper.) The FESCo ticket that was opened on my behalf was based on the idea that we were confronting a policy decision, not bugs -- and the idea was to have whomever reviews security policy do a review of these password dialogues to see if any could be eliminated, esp. the root password dialogue that kicked off this issue. There is a Privilege escalation policy that can be found here: http://fedoraproject.org/wiki/Privilege_escalation_policy This names the qa group as the group to check implementations of policy -- and names the Fedora Steering Committee as the group to review new privilege escalation policies. If there is no objection, I'd like to ask if someone could close https://fedorahosted.org/fesco/ticket/816 . Another ticket can be spawned if there is consensus that change in security policy review is needed. A hearty thank you to everybody who helped. :) -Scott -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Mar 7, 2012, at 6:29 AM, Miloslav Trmač wrote: UNIX didn't have these defaults originally; they were added in the 90's only after real-world experience has shown that these policies are necessary (and they have been pretty much unchanged for the last 10-15 years, AFAIK). It's a philosophical conversation that's probably out of scope for this list, but this amounts to baby sitting stupid people. The first thing such a person must accept as true, is that it's necessary to parent morons by second guessing their choices. I think that in and of itself is radically moronic. It says it's OK for complete strangers to hassle other people about their passwords, not even knowing the context. It's a shake down, and it's how we've arrived at an INSANE password paradigm where we routinely can't choose long memorable passwords, and are instead often forced to choose short 12-15 character passwords that mandate a certain quantity of numerical and special characters. They're difficult to remember, ensuring it will be written down, likely in some unencrypted file, and actually increases the statistical likelihood of a compromise. (and FWIW, regarding the hullop130 password, a quick grep shows that hullo is in the dictionary, and cracklib may have additional rules or ways to arrive at the password from a different dictionary word). Ok so in other words, this is a 5 year old baby sitter and is marginally competent at the intended task from the outset. I get a time to crack between 101 seconds and 32000 years. The computer in question is used only for testing. The single drive was wiped using the ATA ESE command before I started, so there literally is nothing useful on this computer, but setting the password was like getting sand in body orifices. I su'd to root and changed the password to hello, and now I feel much better. Chris Murphy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Sat, 2012-03-03 at 15:46 -0800, Scott Doty wrote: On 03/03/2012 03:22 PM, Miloslav Trmač wrote: On Sun, Mar 4, 2012 at 12:03 AM, Scott Dotysc...@ponzo.net wrote: How about allowing all printer management of local printers (including adding a network printer, as Linus his daughter were dealing with) with two factors: 1) user password 2) physical access ...because PolKit already knows when the user is sitting at the console, right? Sitting at the console is not equivalent to unrestricted physical access allowed, e.g. in any university computer lab. Agreed. Since we're talking two use case though -- home user and lab user -- it would make sense to have another rpm that would be installed to give the desired behavior to one of the cases (the other case being the default). I'm not sure about the demographics of Fedora installations, but I would suspect that most lab administrators will be more cognizant of what goes into their lab machines. Thus, I suggest there be added a new package to alter the behavior for lab machines (and similar use cases), something like polkit-i-am-a-lab, or whichever. What do you think? I think that having RPM packages installed (or not) is not a suitable means for switching on and off certain (sets of) configuration. Beyond that (and I'm not through the thread completely, so forgive me if that's been stated elsewhere already), I think it'd be worthwhile to think about usage profiles like this which come with a set of configuration defaults tailored to a particular use case, overridable/extensible by the admin. We just shouldn't come up with some kind of OO-monster for which admins will hate us. Nils -- Nils Philippsen Those who would give up Essential Liberty to purchase Red Hat a little Temporary Safety, deserve neither Liberty n...@redhat.com nor Safety. -- Benjamin Franklin, 1759 PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011 -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On 03/02/2012 04:16 AM, Tim Waugh wrote: Yes, it's a policy. Also see this bug which I filed nearly two years ago on just this subject: https://bugzilla.redhat.com/show_bug.cgi?id=596711 Tim. */ New bug report filed: security policy: root password needed when it shouldn't be. https://bugzilla.redhat.com/show_bug.cgi?id=799988 There are security implications to exposing the plaintext root password (or any password) to intercept and compromise, when they aren't needed for the user to contact networked printers in the first place. (For an easy example: the user could use nc(1) to print to an HP jetdirect printer.) I think what we have here is a zealous attention to security. That's not a bad thing per se, but can lead to insecure policies that have the added disadvantage of being highly annoying to people who use Fedora. OT, but related: All my own desktops, save a mac mini, have been Fedora since FC1, and were RedHat before that since time immemorium. How about you? :) -Scott -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Sat, 2012-03-03 at 14:07 -0500, David Zeuthen wrote: On Fri, 2012-03-02 at 08:42 -0600, Greg Swift wrote: I experience a similar scenario. On my home system (f16) I have my wife and both in the wheel group. Every time I go to run virt-manager I get prompted for her password. I do believe she is first in the wheel group after root in /etc/group. However this doesn't make any sense to me. It makes more sense for users that need that level of access to all know the root password rather than the users to know another user's password. Even then, if I am in the same group, doesn't it make more since to either prompt for my own password or just allow me? We know each others password so i've always shrugged it off cause I'm looking at other issues the few times when I am playing with the virtuals at home but since someone brought it up... This sounds pretty straightforwardly like a bug probably in PolicyKit, to me. It's obviously more correct to use the current user's authorization if it's sufficient than just to go with the first user in the admin group in all cases... So, file a bug against PolicyKit. (Ugh, no, please don't tell people to file bugs against polkit unless you are actually sure it's a polkit problem. In this case it's not.) Sorry about that, but my general take is that it's important to get issues filed, and it takes about fifteen seconds for a developer or appropriately clued-up triager to re-assign a bug or mark it as a dupe, if they know where it should go. So I tend to err on the side of getting things filed against a product that's *approximately* correct - as in the person who owns it will at least know where it should go to, if it's wrong - rather than worrying so much about getting the assignment precisely correct that the bug never gets filed. for details. If the problem is that both users are in wheel but you are asked to authenticate as the user who is not logged in, well, that's solved in a gnome-shell update, see That's the bug being discussed here, AIUI. https://bugzilla.gnome.org/show_bug.cgi?id=651547 and check if that patch is included in whatever version you are using. Thanks for the reference. I found it independently after my mail, and it seems the patch should be in F17 but not F16. I asked in the bug if it's too disruptive to be backported to the stable Shell branch that F16 is on. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Sat, 2012-03-03 at 15:10 -0700, Chris Murphy wrote: Depends. What if what's being added is a remote printer, that's merely a way to smuggle documents out of a company? So direct attach printers are probably fair game for adding without authentication. The user clearly has physical access to both computer and printer, the most applicable security control in this context is physical. But to add a non-local IPP printer is possibly a red flag. I'm not sure it's remotely plausible to make 'strict in/out security on a corporate network' the aim of our out of the box security policy. I don't think we would ever achieve such a goal, but we could sure piss off a lot of people who aren't part of corporate-wide deployments by doing so, thus falling neatly between two stools. It really seems more realistic to aim lower - but at some level that's actually achievable - with our OOTB policy, and leave securing corporate networks to the sysadmin of the corporation in question. That's their job, after all. It's very easy to come up with some sort of theoretical scenario in which almost *any* kind of ability to use the machine in any way constitutes a 'security issue', but that doesn't really mean we should ship a product which comes out of the box to a non-networked, single user login prompt which refuses all passwords in the name of security...=) -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
passwd keeps complaining The password fails the dictionary check - it is too simplistic for fake words NOT in the dictionary but otherwise too simple for passwd's approval system. I'm using the F17 alpha LiveCD and I'm just testing. I want a SIMPLE password and it won't let me use anything I can remember. I have to write down a temp password to do TESTING? This behavior is so completely asinine, it's like I have a f'n security mom parenting my password selection. I don't know who thinks it's their business to programmatically prevent me from choosing dogcrap as a password, but it's really irritating. Oh and the password is hullop130. Nice thwart of an annoying, USELESS behavior, huh? Chris Murphy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Mon, Mar 05, 2012 at 08:35:11PM -0700, Chris Murphy wrote: passwd keeps complaining The password fails the dictionary check - it is too simplistic for fake words NOT in the dictionary but otherwise too simple for passwd's approval system. I think you can just ignore passwd's warning in this case, it doesn't stop you from going ahead and using the simple password (unless something changed in F17). -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Mar 5, 2012, at 8:37 PM, Chuck Anderson wrote: On Mon, Mar 05, 2012 at 08:35:11PM -0700, Chris Murphy wrote: passwd keeps complaining The password fails the dictionary check - it is too simplistic for fake words NOT in the dictionary but otherwise too simple for passwd's approval system. I think you can just ignore passwd's warning in this case, it doesn't stop you from going ahead and using the simple password (unless something changed in F17). Aha. So if I use passwd with liveuser, it says after three tries: passwd: Have exhausted maximum number of retries for service And does not change the passwd. But if I su to root, it still complains once, but does change the password after the Retype entry. NEVERTHELESS. It's idiotic babysitting. And stupid that I need root to do this mundane task. I wonder how many developer man hours were required for this functionality. Chris Murphy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On 03/03/2012 03:32 PM, Scott Doty wrote: On 03/02/2012 04:16 AM, Tim Waugh wrote: Yes, it's a policy. Also see this bug which I filed nearly two years ago on just this subject: https://bugzilla.redhat.com/show_bug.cgi?id=596711 Tim. */ They closed it as an upstream bug. Then upstream, there doesn't seem to have been an investigation of the bug(?), and it was resolved. Here is a new bug I filed at freedesktop.org: https://bugs.freedesktop.org/show_bug.cgi?id=46943 Bug was closed notabug by freedesktop.org, since (they explain) this is a policy decision they've made, and not a flaw in the software. I've reopened the bug with this text appended to this message, and I'd also like to thank David Zeuthan for speaking up about what is truly a moronic security policy. -Scott This is the second time in two years that this has been brought up, and ignored. Let's not let it slip through the cracks this time, but make sure we get this straightened out. Can you please put me in touch with whomever is in charge of setting this policy? I would like to exchange correspondence with the group or committee. Or if you prefer, please point them at this bug, which I've reopened. It should be noted that in virtually all cases, the user can contact network printers on their own. It is actually less secure to ask for the root password for this case, because it isn't needed whatsoever to accomplish the task at hand. Thus, asking for the password does nothing but expose the plaintext root password to the system, which is an opportunity to intercept the root password Thank you for your time, especially on a weekend. :) -Scott -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
Hi, - Original Message - On Fri, 2012-03-02 at 08:42 -0600, Greg Swift wrote: I experience a similar scenario. On my home system (f16) I have my wife and both in the wheel group. Every time I go to run virt-manager I get prompted for her password. I do believe she is first in the wheel group after root in /etc/group. However this doesn't make any sense to me. It makes more sense for users that need that level of access to all know the root password rather than the users to know another user's password. Even then, if I am in the same group, doesn't it make more since to either prompt for my own password or just allow me? We know each others password so i've always shrugged it off cause I'm looking at other issues the few times when I am playing with the virtuals at home but since someone brought it up... This sounds pretty straightforwardly like a bug probably in PolicyKit, to me. It's obviously more correct to use the current user's authorization if it's sufficient than just to go with the first user in the admin group in all cases... So, file a bug against PolicyKit. (Ugh, no, please don't tell people to file bugs against polkit unless you are actually sure it's a polkit problem. In this case it's not.) If your complaint is that you can't select what user in the 'wheel' group to authenticate as when prompted for admin auth, it's a problem with your authentication agent. With GNOME Shell, the decision was to never show a dropdown menu (a decision I largely agree with), see https://bugzilla.redhat.com/show_bug.cgi?id=771278#c3 for details. If the problem is that both users are in wheel but you are asked to authenticate as the user who is not logged in, well, that's solved in a gnome-shell update, see https://bugzilla.gnome.org/show_bug.cgi?id=651547 and check if that patch is included in whatever version you are using. If your complaint is that you don't get asked for the root password but instead of users in the wheel group, then your problem is that you didn't read the documentation of polkit. Specifically see the ADMINISTRATOR AUTHENTICATION section of the pklocalauthority(8) man page, here's a copy http://hal.freedesktop.org/docs/polkit/pklocalauthority.8.html Specifically, you can do this # echo -e [Configuration]\nAdminIdentities=unix-user:0\n /etc/polkit-1/localauthority.conf.d/51-force-root-for-admin-auth.conf to always require the root password when admin auth is needed instead of using the 'wheel' group (hell, you can even ship this in an RPM without running into the usual configuration-file conflict crapo). It's really that simple. Hope this helps. David -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
Adam Williamson wrote: On Fri, 2012-03-02 at 10:18 -0500, Matthias Clasen wrote: On Thu, 2012-03-01 at 21:53 -0800, Adam Williamson wrote: In case anyone's wondering what that actually does, here's what I can figure out. What it does directly is to add the user to the 'wheel' group. I'm not sure what all the consequences of that are, but there's two I've been able to find. The first is that the default /etc/sudoers allows people in the wheel group to run any command as root, which is great and all, but we don't use sudo for anything at the desktop level, so it really only affects people who run sudo from the console. The other thing it does, if I'm reading stuff right, is that users in the wheel group are considered 'admins' by PolicyKit. That's good. Now as to what that means, I'm not 100% sure, but I *think* what it means is that for any action which would require a non-admin user to authenticate as root, an admin user can authenticate as themselves. i.e. instead of a root password dialog, you'd get a your-own-password dialog. I might be off base there, though, and if I am I'm sure someone smarter will correct me. :) No, you pretty much nailed it. I guess the next step, then, besides fixing these bugs with admin group handling that people have started reporting in this thread, would be to consider if re-authentication actually makes any sense to many of these actions. Couldn't we just let users in the admin group go ahead and do things like printer configuration without having to re-enter their own password? Do we have a solid basic theory about when re-authentication should be asked for, or is it more the case right now that no-one's really thought too hard about this stuff lately and it's one of those things that's considered to 'work well enough' and people are spending time on 'more important' things? Here's one part of the principle: I. The ONLY reason for re-auth is to prevent trojans/web attacks. This implies - Don't ask for re-auth for an action that isn't really potentially harmful (e.g., adding a printer) -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Mar 3, 2012, at 1:00 PM, Neal Becker wrote: Here's one part of the principle: I. The ONLY reason for re-auth is to prevent trojans/web attacks. This implies - Don't ask for re-auth for an action that isn't really potentially harmful (e.g., adding a printer) Depends. What if what's being added is a remote printer, that's merely a way to smuggle documents out of a company? So direct attach printers are probably fair game for adding without authentication. The user clearly has physical access to both computer and printer, the most applicable security control in this context is physical. But to add a non-local IPP printer is possibly a red flag. Chris Murphy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Sat, Mar 3, 2012 at 11:10 PM, Chris Murphy li...@colorremedies.com wrote: On Mar 3, 2012, at 1:00 PM, Neal Becker wrote: - Don't ask for re-auth for an action that isn't really potentially harmful (e.g., adding a printer) Depends. What if what's being added is a remote printer, that's merely a way to smuggle documents out of a company? So direct attach printers are probably fair game for adding without authentication. The user clearly has physical access to both computer and printer, the most applicable security control in this context is physical. But to add a non-local IPP printer is possibly a red flag. Curiously enough, I was thinking exactly the opposite - anyone able to open a TCP/IP socket is able to print on a remote printer, so this does not need to be restricted; but accessing local hardware may be something a system administrator of a multi-user system may want to restrict. (You may have noticed that at least in some Windows versions, network printers can be configured per-user, but hardware-attached printers are always system-wide.) A complete lockdown to prevent transferring data out of the system is a much harder problem (even if you only allow users to run a web browser, they may use it to send data to a server). Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On 03/02/2012 03:21 AM, Conan Kudo (ニール・ゴンパ) wrote: For printers, currently installing printers does not require superuser privileges, but managing those printers installed by that user does. Is it possible to make it so that printers installed by that user can be managed by the user without superuser authentication? BTW, I am in the wheel group on the workstation for those screenshots I posted. In case you didn't look, it was asking for a root password anyway. Also, under details, it showed that two of those dialogues came from components from OpenSUSE...the same distro that Linux was complaining about. -Scott Cite: http://ponzo.net/PolKit-printer/ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On 03/03/2012 02:19 PM, Miloslav Trmač wrote: On Sat, Mar 3, 2012 at 11:10 PM, Chris Murphyli...@colorremedies.com wrote: On Mar 3, 2012, at 1:00 PM, Neal Becker wrote: - Don't ask for re-auth for an action that isn't really potentially harmful (e.g., adding a printer) Depends. What if what's being added is a remote printer, that's merely a way to smuggle documents out of a company? So direct attach printers are probably fair game for adding without authentication. The user clearly has physical access to both computer and printer, the most applicable security control in this context is physical. But to add a non-local IPP printer is possibly a red flag. Curiously enough, I was thinking exactly the opposite - anyone able to open a TCP/IP socket is able to print on a remote printer, so this does not need to be restricted; but accessing local hardware may be something a system administrator of a multi-user system may want to restrict. (You may have noticed that at least in some Windows versions, network printers can be configured per-user, but hardware-attached printers are always system-wide.) A complete lockdown to prevent transferring data out of the system is a much harder problem (even if you only allow users to run a web browser, they may use it to send data to a server). Mirek How about allowing all printer management of local printers (including adding a network printer, as Linus his daughter were dealing with) with two factors: 1) user password 2) physical access ...because PolKit already knows when the user is sitting at the console, right? -Scott -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Mar 3, 2012, at 3:19 PM, Miloslav Trmač wrote: A complete lockdown to prevent transferring data out of the system is a much harder problem (even if you only allow users to run a web browser, they may use it to send data to a server). Yeah, you're right, I can just open a gmail or dropbox account within a web browser, upload the data. I think the distinction is who is going to have to support the result. If it's a home user or small business, they will have to provide support no matter what the connection is; and in a many user environment with some kind of IT staff, it's potentially a different granularity. In some cases they may have no problem with a local printer being attached, or conversely as you point out may have no problem with remote printers. But any printer addition affects the UI and UX, and a potential increase for support. Therefore blanket allowance for any user to add any device is probably not a good idea. Even if there aren't security risks. I prefer the first created user defaulting to being an administrator. At least on Mac OS (not to suggest it's right, only that I'm most familiar with its behavior), the consequences to this are authentication dialogs appear far less often. And I'm added to the following groups: _appserveradm _appserverusr _lpadmin access_bpf admin com.apple.access_screensharing com.apple.access_ssh Without additional authentication, as an admin, I can add/modify/remove printers, change timezone, make network modifications, make file and device sharing modifications, perform software updates, change startup disk. Normal users can't change these things. As admin, I can't make changes to users and groups, or security/privacy related changes unless there is additional authentication. Chris Murphy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Sun, Mar 4, 2012 at 12:03 AM, Scott Doty sc...@ponzo.net wrote: How about allowing all printer management of local printers (including adding a network printer, as Linus his daughter were dealing with) with two factors: 1) user password 2) physical access ...because PolKit already knows when the user is sitting at the console, right? Sitting at the console is not equivalent to unrestricted physical access allowed, e.g. in any university computer lab. From my POV, the guiding principle is is this changing the setup for other users of the machine? If so, then it needs authentication. (see also https://fedoraproject.org/wiki/User:Adamwill/Draft_Fedora_privilege_escalation_policy ). Under this rule, adding a system-wide printer definitely needs administrative authentication (but we may provide a way to configure single-user machines so that they don't require the authentication, see again the draft). Another way to look at this issue is - if printers were maintained per-user (per-user, unprivileged cups daemon, per-user configuration, per-user print queue), there would be no reason to ask for authentication. Given that printers are so often networked nowadays and no access to hardware is required, we might even be able to avoid running the system-wide cups daemon at all in some cases. There would be one less process running as root, no reason to authenticate, an increase both in security and ease of use. We would be actually _solving_ the problem instead of tinkering with administration requirements to hide it so that Linus doesn't notice :) Would something like this at all possible to do with cups and the current printing design and protocols? Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On 03/02/2012 04:16 AM, Tim Waugh wrote: On Fri, 2012-03-02 at 05:21 -0600, Conan Kudo (ニール・ゴンパ) wrote: For printers, currently installing printers does not require superuser privileges, but managing those printers installed by that user does. Is it possible to make it so that printers installed by that user can be managed by the user without superuser authentication? Yes, it's a policy. Also see this bug which I filed nearly two years ago on just this subject: https://bugzilla.redhat.com/show_bug.cgi?id=596711 Tim. */ They closed it as an upstream bug. Then upstream, there doesn't seem to have been an investigation of the bug(?), and it was resolved. Here is a new bug I filed at freedesktop.org: https://bugs.freedesktop.org/show_bug.cgi?id=46943 And Tim: I personally feel the handling of your bug was a process that could use improvement upstream. -Scott -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On 03/03/2012 03:22 PM, Miloslav Trmač wrote: On Sun, Mar 4, 2012 at 12:03 AM, Scott Dotysc...@ponzo.net wrote: How about allowing all printer management of local printers (including adding a network printer, as Linus his daughter were dealing with) with two factors: 1) user password 2) physical access ...because PolKit already knows when the user is sitting at the console, right? Sitting at the console is not equivalent to unrestricted physical access allowed, e.g. in any university computer lab. Agreed. Since we're talking two use case though -- home user and lab user -- it would make sense to have another rpm that would be installed to give the desired behavior to one of the cases (the other case being the default). I'm not sure about the demographics of Fedora installations, but I would suspect that most lab administrators will be more cognizant of what goes into their lab machines. Thus, I suggest there be added a new package to alter the behavior for lab machines (and similar use cases), something like polkit-i-am-a-lab, or whichever. What do you think? Also: From my POV, the guiding principle is is this changing the setup for other users of the machine? If so, then it needs authentication. (see also https://fedoraproject.org/wiki/User:Adamwill/Draft_Fedora_privilege_escalation_policy ). Under this rule, adding a system-wide printer definitely needs administrative authentication (but we may provide a way to configure single-user machines so that they don't require the authentication, see again the draft). Another way to look at this issue is - if printers were maintained per-user (per-user, unprivileged cups daemon, per-user configuration, per-user print queue), there would be no reason to ask for authentication. Given that printers are so often networked nowadays and no access to hardware is required, we might even be able to avoid running the system-wide cups daemon at all in some cases. There would be one less process running as root, no reason to authenticate, an increase both in security and ease of use. We would be actually _solving_ the problem instead of tinkering with administration requirements to hide it so that Linus doesn't notice :) Would something like this at all possible to do with cups and the current printing design and protocols? Mirek This has a lot of merit(!) I suggest that it be handled as an _addition_ (not a replacement) to the library as library support for per-user networked printers that don't use the cups daemon at all. There is nothing lost with that from a security perspective, because the user could just print to a file, and nc it off to a jetdirect printer port (or use the samba client, or whatever). The reason for the addition would be to avoid having to completely replace cupsd, as well as giving the system administrator (in the lab, or otherwise) the option to continue to use cupsd. Because philosophically speaking, I'd rather have choice than a one-size-fits-all. (ahem). Also, I did file a bug at freedesktop.org, where (maybe?) discussing policy changes might be appropriate: https://bugs.freedesktop.org/show_bug.cgi?id=46943 -Scott -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On 03/03/2012 11:07 AM, David Zeuthen wrote: Hi, - Original Message - On Fri, 2012-03-02 at 08:42 -0600, Greg Swift wrote: This sounds pretty straightforwardly like a bug probably in PolicyKit, to me. It's obviously more correct to use the current user's authorization if it's sufficient than just to go with the first user in the admin group in all cases... So, file a bug against PolicyKit. (Ugh, no, please don't tell people to file bugs against polkit unless you are actually sure it's a polkit problem. In this case it's not.) David, please look at my comments on the ticket you closed. https://bugs.freedesktop.org/show_bug.cgi?id=46943 I've re-opened the ticket with it set to cups-pk-helper. I suggest freedesktop.org stop this maddening policy of close ticket quick, and actually try to route it to the group that can help. So when you wrote: ==| Sure, that's bad and agree I with Torvalds it's inappropriate to require administrator authentication etc... but it's not a polkit problem since polkit is only a toolkit (and a toolkit can be used correctly or incorrectly etc). You should file a bug against the mechanism in question - looks like it's this project |== I'm having a hard time reconciling your words that you agree this is a problem, with your actions of shutting the door in my face. Pax. -Scott -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Mar 1, 2012, at 10:53 PM, Adam Williamson wrote: On Thu, 2012-03-01 at 17:43 -0500, Adam Jackson wrote: On Thu, 2012-03-01 at 16:39 -0500, Daniel J Walsh wrote: I believe Fedora 17 has an add user to admin group checkbox when adding the initial user, not sure if it is checked on or off by default. Off by default (having just tried it today). In case anyone's wondering what that actually does, here's what I can figure out. What it does directly is to add the user to the 'wheel' group. I'm not sure what all the consequences of that are, but there's two I've been able to find. The first is that the default /etc/sudoers allows people in the wheel group to run any command as root, which is great and all, but we don't use sudo for anything at the desktop level, so it really only affects people who run sudo from the console. The other thing it does, if I'm reading stuff right, is that users in the wheel group are considered 'admins' by PolicyKit. That's good. Now as to what that means, I'm not 100% sure, but I *think* what it means is that for any action which would require a non-admin user to authenticate as root, an admin user can authenticate as themselves. i.e. instead of a root password dialog, you'd get a your-own-password dialog. I might be off base there, though, and if I am I'm sure someone smarter will correct me. :) From my own experience, anything I change in the GUI that requires authentication, it is for user 'chris' if that user was added as an admin with the checkbox in the create first user steps. If that checkbox is not checked, any authentication dialog that appears is for user 'root'. My interpretation of Torvalds' complaint, is with the mere existence of authentication dialogs in the first place, for certain things. Mac OS X has always required authentication (from a user with admin privileges) for changing the Date/Time including time zones, which is an absurdity. In the most recent version, it's no longer possible for a non-authenticated user with admin privileges (in effect two levels of privileges for the same user with the same login and the same password) to install e.g. ICC color profiles to a folder making the profiles available to all users. So I'm an admin, and if I want to modify a folder, I have to enter my password in a pop-up authentication dialog to add/remove ICC profiles. Worse, the individual user folder for these profiles is now hidden by default. It's high order insanity. Chris Murphy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Fri, Mar 2, 2012 at 2:12 AM, Chris Murphy li...@colorremedies.comwrote: On Mar 1, 2012, at 10:53 PM, Adam Williamson wrote: On Thu, 2012-03-01 at 17:43 -0500, Adam Jackson wrote: On Thu, 2012-03-01 at 16:39 -0500, Daniel J Walsh wrote: I believe Fedora 17 has an add user to admin group checkbox when adding the initial user, not sure if it is checked on or off by default. Off by default (having just tried it today). In case anyone's wondering what that actually does, here's what I can figure out. What it does directly is to add the user to the 'wheel' group. I'm not sure what all the consequences of that are, but there's two I've been able to find. The first is that the default /etc/sudoers allows people in the wheel group to run any command as root, which is great and all, but we don't use sudo for anything at the desktop level, so it really only affects people who run sudo from the console. The other thing it does, if I'm reading stuff right, is that users in the wheel group are considered 'admins' by PolicyKit. That's good. Now as to what that means, I'm not 100% sure, but I *think* what it means is that for any action which would require a non-admin user to authenticate as root, an admin user can authenticate as themselves. i.e. instead of a root password dialog, you'd get a your-own-password dialog. I might be off base there, though, and if I am I'm sure someone smarter will correct me. :) From my own experience, anything I change in the GUI that requires authentication, it is for user 'chris' if that user was added as an admin with the checkbox in the create first user steps. If that checkbox is not checked, any authentication dialog that appears is for user 'root'. My interpretation of Torvalds' complaint, is with the mere existence of authentication dialogs in the first place, for certain things. Mac OS X has always required authentication (from a user with admin privileges) for changing the Date/Time including time zones, which is an absurdity. In the most recent version, it's no longer possible for a non-authenticated user with admin privileges (in effect two levels of privileges for the same user with the same login and the same password) to install e.g. ICC color profiles to a folder making the profiles available to all users. So I'm an admin, and if I want to modify a folder, I have to enter my password in a pop-up authentication dialog to add/remove ICC profiles. Worse, the individual user folder for these profiles is now hidden by default. It's high order insanity. Chris Murphy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel As far as time zones and date/time settings are concerned, didn't there used to be a user-level setting for this? There's a variable for command line apps called TZ (for timezone) that can be set at the individual user's level, but apparently graphical applications don't obey this variable. I don't know about date/time itself, though. For printers, currently installing printers does not require superuser privileges, but managing those printers installed by that user does. Is it possible to make it so that printers installed by that user can be managed by the user without superuser authentication? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
Here is a weird example of how Fedora currenty handles some permission procedures. I created a standard user account (no admin rights) and I'm trying to install a package. When I press apply I'm prompted to enter a password. Since I have no admin rights I would expect to be asked for the root password. Instead of that I'm asked to enter a password of another user who happens to be in the administrative group! See the screenshot as a proof: http://s.autoverse.net/yYi6AF See on the top right corner that I'm logged in with another account. So in the UX level we have actually disabled the root account (I can remember when was the last time I was prompted to enter it) thus we keep asking for a root password during installation that's ends up confusing people about its purpose. PS. an interesting question: if I had two users on my system belonging to the administrative group. which one's password I'll be prompted to enter when I'm logged with a standard user account, like the example above. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Fri, 2012-03-02 at 05:21 -0600, Conan Kudo (ニール・ゴンパ) wrote: For printers, currently installing printers does not require superuser privileges, but managing those printers installed by that user does. Is it possible to make it so that printers installed by that user can be managed by the user without superuser authentication? Yes, it's a policy. Also see this bug which I filed nearly two years ago on just this subject: https://bugzilla.redhat.com/show_bug.cgi?id=596711 Tim. */ signature.asc Description: This is a digitally signed message part -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
Daniel J Walsh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/29/2012 04:03 PM, Scott Doty wrote: On 02/29/2012 08:46 AM, David Malcolm wrote: On Wed, 2012-02-29 at 07:02 -0500, Neal Becker wrote: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ http://fedoraproject.org/wiki/Releases/FeaturePolicyKit in Fedora 8 onwards, It was revamped in Fedora 12: http://fedoraproject.org/wiki/Features/PolicyKitOne And (on Fedora 16), it still asks for the root password to add a printer. http://ponzo.net/PolKit-printer/ -Scott I believe Fedora 17 has an add user to admin group checkbox when adding the initial user, not sure if it is checked on or off by default. Actually, FC16 has this feature (and I use it). But this is sometimes even more confusing. Does that dialog want my password, or root pw? Some dialogs do clearly say, some don't. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Fri, Mar 2, 2012 at 05:36, Nikos Roussos ni...@autoverse.net wrote: Here is a weird example of how Fedora currenty handles some permission procedures. I created a standard user account (no admin rights) and I'm trying to install a package. When I press apply I'm prompted to enter a password. Since I have no admin rights I would expect to be asked for the root password. Instead of that I'm asked to enter a password of another user who happens to be in the administrative group! See the screenshot as a proof: http://s.autoverse.net/yYi6AF See on the top right corner that I'm logged in with another account. So in the UX level we have actually disabled the root account (I can remember when was the last time I was prompted to enter it) thus we keep asking for a root password during installation that's ends up confusing people about its purpose. PS. an interesting question: if I had two users on my system belonging to the administrative group. which one's password I'll be prompted to enter when I'm logged with a standard user account, like the example above. I experience a similar scenario. On my home system (f16) I have my wife and both in the wheel group. Every time I go to run virt-manager I get prompted for her password. I do believe she is first in the wheel group after root in /etc/group. However this doesn't make any sense to me. It makes more sense for users that need that level of access to all know the root password rather than the users to know another user's password. Even then, if I am in the same group, doesn't it make more since to either prompt for my own password or just allow me? We know each others password so i've always shrugged it off cause I'm looking at other issues the few times when I am playing with the virtuals at home but since someone brought it up... -greg -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Thu, 2012-03-01 at 21:53 -0800, Adam Williamson wrote: In case anyone's wondering what that actually does, here's what I can figure out. What it does directly is to add the user to the 'wheel' group. I'm not sure what all the consequences of that are, but there's two I've been able to find. The first is that the default /etc/sudoers allows people in the wheel group to run any command as root, which is great and all, but we don't use sudo for anything at the desktop level, so it really only affects people who run sudo from the console. The other thing it does, if I'm reading stuff right, is that users in the wheel group are considered 'admins' by PolicyKit. That's good. Now as to what that means, I'm not 100% sure, but I *think* what it means is that for any action which would require a non-admin user to authenticate as root, an admin user can authenticate as themselves. i.e. instead of a root password dialog, you'd get a your-own-password dialog. I might be off base there, though, and if I am I'm sure someone smarter will correct me. :) No, you pretty much nailed it. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Thu, 2012-03-01 at 20:49 -0500, Daniel J Walsh wrote: On 03/01/2012 05:43 PM, Adam Jackson wrote: On Thu, 2012-03-01 at 16:39 -0500, Daniel J Walsh wrote: I believe Fedora 17 has an add user to admin group checkbox when adding the initial user, not sure if it is checked on or off by default. Off by default (having just tried it today). - ajax Probably should default to on. I prefer put one note like: if your name is Linus , check it, please. :) -- Sérgio M. B. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/02/2012 10:38 AM, Sérgio Basto wrote: On Thu, 2012-03-01 at 20:49 -0500, Daniel J Walsh wrote: On 03/01/2012 05:43 PM, Adam Jackson wrote: On Thu, 2012-03-01 at 16:39 -0500, Daniel J Walsh wrote: I believe Fedora 17 has an add user to admin group checkbox when adding the initial user, not sure if it is checked on or off by default. Off by default (having just tried it today). - ajax Probably should default to on. I prefer put one note like: if your name is Linus , check it, please. :) Prompting for the password for a user in the wheel group, is just the same as saying I am a human, to make sure an application can not cause the privileged escalation. If we had a mechanism called trusted path, where we knew a human caused an action, then you would not need to ask for the password. Of course we have wanted trusted path for nearly 10 years ... -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9Q6z8ACgkQrlYvE4MpobO/hACgk63+6jcvvFlTDb5kGVGsqx78 vQ8AoOBd2ICf58m2k20zCfUAwnAlNNhR =vDef -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On 03/02/2012 06:59 AM, Neal Becker wrote: I believe Fedora 17 has an add user to admin group checkbox when adding the initial user, not sure if it is checked on or off by default. Actually, FC16 has this feature (and I use it). But this is sometimes even more confusing. Does that dialog want my password, or root pw? Some dialogs do clearly say, some don't. +1*1 The number of times I wonder... which password do I enter here? Is astounding. -- Nathanael d. Noblet t 403.875.4613 -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Feb 29, 2012, at 9:18 AM, Chris Murphy wrote: On Feb 29, 2012, at 7:08 AM, Nikos Roussos wrote: Why not add by default the first user created (right after installation finishes) to administrative group and disable the root account? This is, is fact, how Apple has done things circa 1999 with Mac OS X. You can 'su' to root, you can also 'sudo' but you can't literally login as root either in text console or GUI, the account is disabled. And the first user is an 'admin' by default. Chris Murphy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Hi Chris, I'm not sure what you mean but you can't literally login as root either in the text console... This is confusing to me since I've been using the root account on Mac OS X since 2001. I was working for Apple as a build engineer and all of our builds were performed using the root account. Here's an article that explains how to enable the root account: http://support.apple.com/kb/HT1528 Cheers, --Kevin-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
Hi, regarding this problem (polkit asks you for the password of another user), I have filled this bug report https://bugzilla.redhat.com/show_bug.cgi?id=799480 I have hit this problem myself in several computers. Regards, Sergio 2012/3/2 Greg Swift xa...@fedoraproject.org: On Fri, Mar 2, 2012 at 05:36, Nikos Roussos ni...@autoverse.net wrote: Here is a weird example of how Fedora currenty handles some permission procedures. I created a standard user account (no admin rights) and I'm trying to install a package. When I press apply I'm prompted to enter a password. Since I have no admin rights I would expect to be asked for the root password. Instead of that I'm asked to enter a password of another user who happens to be in the administrative group! See the screenshot as a proof: http://s.autoverse.net/yYi6AF See on the top right corner that I'm logged in with another account. So in the UX level we have actually disabled the root account (I can remember when was the last time I was prompted to enter it) thus we keep asking for a root password during installation that's ends up confusing people about its purpose. PS. an interesting question: if I had two users on my system belonging to the administrative group. which one's password I'll be prompted to enter when I'm logged with a standard user account, like the example above. I experience a similar scenario. On my home system (f16) I have my wife and both in the wheel group. Every time I go to run virt-manager I get prompted for her password. I do believe she is first in the wheel group after root in /etc/group. However this doesn't make any sense to me. It makes more sense for users that need that level of access to all know the root password rather than the users to know another user's password. Even then, if I am in the same group, doesn't it make more since to either prompt for my own password or just allow me? We know each others password so i've always shrugged it off cause I'm looking at other issues the few times when I am playing with the virtuals at home but since someone brought it up... -greg -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Sergio Pascual http://guaix.fis.ucm.es/~spr +34 91 394 5018 gpg fingerprint: 5203 B42D 86A0 5649 410A F4AC A35F D465 F263 BCCC Departamento de Astrofísica -- Universidad Complutense de Madrid (Spain) -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Mar 2, 2012, at 10:26 AM, Kevin Wright wrote: On Feb 29, 2012, at 9:18 AM, Chris Murphy wrote: On Feb 29, 2012, at 7:08 AM, Nikos Roussos wrote: Why not add by default the first user created (right after installation finishes) to administrative group and disable the root account? This is, is fact, how Apple has done things circa 1999 with Mac OS X. You can 'su' to root, you can also 'sudo' but you can't literally login as root either in text console or GUI, the account is disabled. And the first user is an 'admin' by default. Hi Chris, I'm not sure what you mean but you can't literally login as root either in the text console... This is confusing to me since I've been using the root account on Mac OS X since 2001. I was working for Apple as a build engineer and all of our builds were performed using the root account. Here's an article that explains how to enable the root account: http://support.apple.com/kb/HT1528 I'm not sure why you're confused. The account is disabled, and until it's enabled you can't login as root, either using ssh, or entering at the loginwindow to get to a text console and trying to login as root there. Once the root account is enabled you can. Chris Murphy-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
ons 2012-02-29 klockan 17:51 -0500 skrev Simo Sorce: That said I understand your pain and the realize the current solution is not ideal for the casual user. Maybe we should have 2 security profiles (lax and strict) that you can choose at install time so that people can choose what they like best. I'd call them single user and multi user. On a single user machine is makes sense to try to protect the user from themself, but you do that by carefully selecting defaults and explaining what the issues are with connecting to a non-trusted network, for example. No by asking for a password at random points. On a multi user machine it makes sense to protect users from each other and prevent one user from doing things that may cause problems for other users, like modifying the IP routing or the host-wide printer config. You really need an extra password or a dedicated admin account to elevate to, then. /Alexander -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Fri, Mar 2, 2012 at 8:42 AM, Greg Swift xa...@fedoraproject.org wrote: On Fri, Mar 2, 2012 at 05:36, Nikos Roussos ni...@autoverse.net wrote: Here is a weird example of how Fedora currenty handles some permission procedures. I created a standard user account (no admin rights) and I'm trying to install a package. When I press apply I'm prompted to enter a password. Since I have no admin rights I would expect to be asked for the root password. Instead of that I'm asked to enter a password of another user who happens to be in the administrative group! See the screenshot as a proof: http://s.autoverse.net/yYi6AF See on the top right corner that I'm logged in with another account. So in the UX level we have actually disabled the root account (I can remember when was the last time I was prompted to enter it) thus we keep asking for a root password during installation that's ends up confusing people about its purpose. PS. an interesting question: if I had two users on my system belonging to the administrative group. which one's password I'll be prompted to enter when I'm logged with a standard user account, like the example above. I experience a similar scenario. On my home system (f16) I have my wife and both in the wheel group. Every time I go to run virt-manager I get prompted for her password. I do believe she is first in the wheel group after root in /etc/group. However this doesn't make any sense to me. It makes more sense for users that need that level of access to all know the root password rather than the users to know another user's password. Even then, if I am in the same group, doesn't it make more since to either prompt for my own password or just allow me? We know each others password so i've always shrugged it off cause I'm looking at other issues the few times when I am playing with the virtuals at home but since someone brought it up... This sub-thread seems to have gotten dropped but I was hoping for a Fedora admin type to pipe and say, Hmm... That shouldn't happen.. I ran into this on my wife's laptop where I created my account first to keep the UID/GID's consistent across our systems but when I added her account I did mark it as an admin account, yet each time it prompts her for my password, not hers. Richard -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Fri, 2012-03-02 at 08:42 -0600, Greg Swift wrote: On Fri, Mar 2, 2012 at 05:36, Nikos Roussos ni...@autoverse.net wrote: Here is a weird example of how Fedora currenty handles some permission procedures. I created a standard user account (no admin rights) and I'm trying to install a package. When I press apply I'm prompted to enter a password. Since I have no admin rights I would expect to be asked for the root password. Instead of that I'm asked to enter a password of another user who happens to be in the administrative group! See the screenshot as a proof: http://s.autoverse.net/yYi6AF See on the top right corner that I'm logged in with another account. So in the UX level we have actually disabled the root account (I can remember when was the last time I was prompted to enter it) thus we keep asking for a root password during installation that's ends up confusing people about its purpose. PS. an interesting question: if I had two users on my system belonging to the administrative group. which one's password I'll be prompted to enter when I'm logged with a standard user account, like the example above. I experience a similar scenario. On my home system (f16) I have my wife and both in the wheel group. Every time I go to run virt-manager I get prompted for her password. I do believe she is first in the wheel group after root in /etc/group. However this doesn't make any sense to me. It makes more sense for users that need that level of access to all know the root password rather than the users to know another user's password. Even then, if I am in the same group, doesn't it make more since to either prompt for my own password or just allow me? We know each others password so i've always shrugged it off cause I'm looking at other issues the few times when I am playing with the virtuals at home but since someone brought it up... This sounds pretty straightforwardly like a bug probably in PolicyKit, to me. It's obviously more correct to use the current user's authorization if it's sufficient than just to go with the first user in the admin group in all cases... So, file a bug against PolicyKit. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Fri, 2012-03-02 at 10:18 -0500, Matthias Clasen wrote: On Thu, 2012-03-01 at 21:53 -0800, Adam Williamson wrote: In case anyone's wondering what that actually does, here's what I can figure out. What it does directly is to add the user to the 'wheel' group. I'm not sure what all the consequences of that are, but there's two I've been able to find. The first is that the default /etc/sudoers allows people in the wheel group to run any command as root, which is great and all, but we don't use sudo for anything at the desktop level, so it really only affects people who run sudo from the console. The other thing it does, if I'm reading stuff right, is that users in the wheel group are considered 'admins' by PolicyKit. That's good. Now as to what that means, I'm not 100% sure, but I *think* what it means is that for any action which would require a non-admin user to authenticate as root, an admin user can authenticate as themselves. i.e. instead of a root password dialog, you'd get a your-own-password dialog. I might be off base there, though, and if I am I'm sure someone smarter will correct me. :) No, you pretty much nailed it. I guess the next step, then, besides fixing these bugs with admin group handling that people have started reporting in this thread, would be to consider if re-authentication actually makes any sense to many of these actions. Couldn't we just let users in the admin group go ahead and do things like printer configuration without having to re-enter their own password? Do we have a solid basic theory about when re-authentication should be asked for, or is it more the case right now that no-one's really thought too hard about this stuff lately and it's one of those things that's considered to 'work well enough' and people are spending time on 'more important' things? -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Fri, 2012-03-02 at 09:34 -0700, Nathanael D. Noblet wrote: On 03/02/2012 06:59 AM, Neal Becker wrote: I believe Fedora 17 has an add user to admin group checkbox when adding the initial user, not sure if it is checked on or off by default. Actually, FC16 has this feature (and I use it). But this is sometimes even more confusing. Does that dialog want my password, or root pw? Some dialogs do clearly say, some don't. +1*1 The number of times I wonder... which password do I enter here? Is astounding. I'd say it's a pretty solid principle that you should file a bug any time you come across a dialog which doesn't specify this. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Fri, 2012-03-02 at 18:45 +0100, Sergio Pascual wrote: Hi, regarding this problem (polkit asks you for the password of another user), I have filled this bug report https://bugzilla.redhat.com/show_bug.cgi?id=799480 I have hit this problem myself in several computers. So if you follow the breadcrumbs on that you now wind up at: https://bugzilla.gnome.org/show_bug.cgi?id=651547 which seems to suggest it ought to be fixed at least in F17. The commit is after 3.2 went stable, so unless it was specifically backported to the 3.2 branch, it's probably not fixed in F16. So can people confirm that it's fixed if they test F17 Alpha? Matthias, would this be considered too big a change to backport to 3.2? -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On 03/02/2012 02:41 PM, Adam Williamson wrote: On Fri, 2012-03-02 at 09:34 -0700, Nathanael D. Noblet wrote: On 03/02/2012 06:59 AM, Neal Becker wrote: I believe Fedora 17 has an add user to admin group checkbox when adding the initial user, not sure if it is checked on or off by default. Actually, FC16 has this feature (and I use it). But this is sometimes even more confusing. Does that dialog want my password, or root pw? Some dialogs do clearly say, some don't. +1*1 The number of times I wonder... which password do I enter here? Is astounding. I'd say it's a pretty solid principle that you should file a bug any time you come across a dialog which doesn't specify this. I will from now on... at the time it was more of a am I the only one who doesn't get this? I trust the developers s it must be me. :D -- Nathanael d. Noblet t 403.875.4613 -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Fri, 2012-03-02 at 14:51 -0700, Nathanael D. Noblet wrote: On 03/02/2012 02:41 PM, Adam Williamson wrote: On Fri, 2012-03-02 at 09:34 -0700, Nathanael D. Noblet wrote: On 03/02/2012 06:59 AM, Neal Becker wrote: I believe Fedora 17 has an add user to admin group checkbox when adding the initial user, not sure if it is checked on or off by default. Actually, FC16 has this feature (and I use it). But this is sometimes even more confusing. Does that dialog want my password, or root pw? Some dialogs do clearly say, some don't. +1*1 The number of times I wonder... which password do I enter here? Is astounding. I'd say it's a pretty solid principle that you should file a bug any time you come across a dialog which doesn't specify this. I will from now on... at the time it was more of a am I the only one who doesn't get this? I trust the developers s it must be me. :D You trust the developers? Have you ever met them? I wouldn't leave a used pencil unguarded in the same building as the desktop team. ;) -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Wed, 29.02.12 18:27, Simo Sorce (s...@redhat.com) wrote: On Thu, 2012-03-01 at 00:17 +0100, Lennart Poettering wrote: On Wed, 29.02.12 17:51, Simo Sorce (s...@redhat.com) wrote: On Wed, 2012-02-29 at 10:09 -0700, Chris Murphy wrote: On Feb 29, 2012, at 5:15 AM, drago01 wrote: On Wed, Feb 29, 2012 at 1:02 PM, Neal Becker ndbeck...@gmail.com wrote: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ My example is mDNS being blocked in the Firewall by default *and* it requires a root password to unblocked it. Completely retarded. Except that mDNS is a real security issue (because you can hijack name resolution quite easily with it). Can you? How so? Sure, you can muck with the .local domain, since that's the mDNS domain, but hey, if you are stupid enough to trust the .local domain in insecure networks, then it is your own fault, as the suffix .local kinda comes with this big implied label of HEY! THIS DOMAIN IS RESOLVED FROM DATA MULTICASTED ON THE LOCAL LINK. Yeah unfortunately there are a ton of sites that use the .local suffix for their local domain for example. Some predate mDNS hijacking of it for 'untrusted local stuff'. Well, I don't consider this really that much of a *security* issue. Unicast DNS domains called .local are made entirely unavailable if mDNS is used, which is the default on MacOS and Linux. I am sure there are still setups which use .local in unicast domains, but things are not really primarily insecure for them, but they are *entirely broken* for them. That's a completely different quality. Also you should really define 'You' here. Because the issue is that mDNS in Fedora is inserted by default in the hosts database and IIRC before DNS, so it get a chance to always reply before a DNS query is made. This of course makes sense for its uses, why ask the DNS if you know this is a .local name that the DNS should not know about ? The NSS module is authoritative for .local and .local only. It will not respond for host lookups outside this domains, and hence cannot be used to muck around with anything outside the mDNS domain .local. You cannot override normal unicast host names via multicast. Lennart -- Lennart Poettering - Red Hat, Inc. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Thu, Mar 01, 2012 at 03:11:53PM +0100, Lennart Poettering wrote: Also you should really define 'You' here. Because the issue is that mDNS in Fedora is inserted by default in the hosts database and IIRC before DNS, so it get a chance to always reply before a DNS query is made. This of course makes sense for its uses, why ask the DNS if you know this is a .local name that the DNS should not know about ? The NSS module is authoritative for .local and .local only. It will not respond for host lookups outside this domains, and hence cannot be used to muck around with anything outside the mDNS domain .local. You cannot override normal unicast host names via multicast. Can normal resolver settings be overriden by mDNS and publish-dns-servers= ? -- Tomasz TorczTo co nierealne -- tutaj jest normalne. xmpp: zdzich...@chrome.pl Ziomale na życie mają tu patenty specjalne. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Thu, 01.03.12 15:16, Tomasz Torcz (to...@pipebreaker.pl) wrote: On Thu, Mar 01, 2012 at 03:11:53PM +0100, Lennart Poettering wrote: Also you should really define 'You' here. Because the issue is that mDNS in Fedora is inserted by default in the hosts database and IIRC before DNS, so it get a chance to always reply before a DNS query is made. This of course makes sense for its uses, why ask the DNS if you know this is a .local name that the DNS should not know about ? The NSS module is authoritative for .local and .local only. It will not respond for host lookups outside this domains, and hence cannot be used to muck around with anything outside the mDNS domain .local. You cannot override normal unicast host names via multicast. Can normal resolver settings be overriden by mDNS and publish-dns-servers= ? Only if avahi-dnsconfd is installed and enabled, but nobody does that, and it is not the default anywhere. In fact I am tempted to simply remove that feature entirely from Avahi, since it's pretty useless and DHCP is a much better option for this. Lennart -- Lennart Poettering - Red Hat, Inc. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Thu, 2012-03-01 at 16:39 -0500, Daniel J Walsh wrote: I believe Fedora 17 has an add user to admin group checkbox when adding the initial user, not sure if it is checked on or off by default. Off by default (having just tried it today). - ajax signature.asc Description: This is a digitally signed message part -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/01/2012 05:43 PM, Adam Jackson wrote: On Thu, 2012-03-01 at 16:39 -0500, Daniel J Walsh wrote: I believe Fedora 17 has an add user to admin group checkbox when adding the initial user, not sure if it is checked on or off by default. Off by default (having just tried it today). - ajax Probably should default to on. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9QJzkACgkQrlYvE4MpobM0lwCfVYvpqL/7hOKBeDgVtCMyM71F nRAAoMMKFWHF880noslLNnF7mA6hokv1 =U300 -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
Giovanni Campagna wrote: PS: it would be useful to have some GUI tool to configure PolicyKit. Everytime I clean my system I have to dig through dozens of manual pages just to get virt-manager without a password for my user. https://projects.kde.org/projects/extragear/base/polkit-kde-kcmodules-1 Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Wed, 2012-02-29 at 11:46 -0500, David Malcolm wrote: On Wed, 2012-02-29 at 07:02 -0500, Neal Becker wrote: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ http://fedoraproject.org/wiki/Releases/FeaturePolicyKit in Fedora 8 onwards, It was revamped in Fedora 12: http://fedoraproject.org/wiki/Features/PolicyKitOne PolicyKit is an awesome mechanism, but it's really only part of the story. Just having a mechanism in place isn't everything you need. The rest of the story is that we need to port as much stuff as possible to use PolicyKit for privilege escalation, we need to ensure that the default policy is good (what constitutes 'good' is, ahem, up for discussion, Linus suggests the default should make sure for a fairly non-critical, end user desktop, M A Young suggests the opposite, but we should at least have a solid project-wide understanding of what we're broadly aiming for, and try to make sure everything fits that story) and also, probably, that we have easy 'drop-in' alternative policies. It'd be great if, say, we shipped with a fairly loose default policy intended for a single-user desktop, but you could drop in a more restrictive policy appropriate for a shared machine just by installing a package. Just for the record, I've had an interesting chat with Linus via private mail about this stuff, and I'll probably poke a few interested devs/maintainers soon. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Thu, 2012-03-01 at 17:43 -0500, Adam Jackson wrote: On Thu, 2012-03-01 at 16:39 -0500, Daniel J Walsh wrote: I believe Fedora 17 has an add user to admin group checkbox when adding the initial user, not sure if it is checked on or off by default. Off by default (having just tried it today). In case anyone's wondering what that actually does, here's what I can figure out. What it does directly is to add the user to the 'wheel' group. I'm not sure what all the consequences of that are, but there's two I've been able to find. The first is that the default /etc/sudoers allows people in the wheel group to run any command as root, which is great and all, but we don't use sudo for anything at the desktop level, so it really only affects people who run sudo from the console. The other thing it does, if I'm reading stuff right, is that users in the wheel group are considered 'admins' by PolicyKit. That's good. Now as to what that means, I'm not 100% sure, but I *think* what it means is that for any action which would require a non-admin user to authenticate as root, an admin user can authenticate as themselves. i.e. instead of a root password dialog, you'd get a your-own-password dialog. I might be off base there, though, and if I am I'm sure someone smarter will correct me. :) -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Torvalds:requiring root password for mundane things is moronic
I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Wed, Feb 29, 2012 at 1:02 PM, Neal Becker ndbeck...@gmail.com wrote: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ Yeah but last time we tried this in fedora it got flamefested so we had to revert. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On 02/29/2012 01:15 PM, drago01 wrote: On Wed, Feb 29, 2012 at 1:02 PM, Neal Beckerndbeck...@gmail.com wrote: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ Yeah but last time we tried this in fedora it got flamefested so we had to revert. Perhaps a solution is adding a group with the needed permissions and make it really easy to add an account to that group. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
Il 29 febbraio 2012 13:02, Neal Becker ndbeck...@gmail.com ha scritto: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ FWIW, date/time and network require no authentication (including system-wide things like NTP). Managing printers requires unlock, but printing, installing a new local printer or connecting to mdns / cups browsing network printers does not. Giovanni PS: it would be useful to have some GUI tool to configure PolicyKit. Everytime I clean my system I have to dig through dozens of manual pages just to get virt-manager without a password for my user. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Wed, Feb 29, 2012 at 7:36 AM, Emanuel Rietveld codehot...@gmail.comwrote: On 02/29/2012 01:15 PM, drago01 wrote: On Wed, Feb 29, 2012 at 1:02 PM, Neal Beckerndbeck...@gmail.com wrote: I think he's got a point http://www.osnews.com/story/**25659/Torvalds_requiring_root_** password_for_mundane_things_**is_quot_moronic_quot_http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ Yeah but last time we tried this in fedora it got flamefested so we had to revert. Perhaps a solution is adding a group with the needed permissions and make it really easy to add an account to that group. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.**org/mailman/listinfo/develhttps://admin.fedoraproject.org/mailman/listinfo/devel +1 to this. Many tasks should not require full root permissions to execute. Having a set of groups centered around tasks (install printers, install software, etc.) would definitely make this simpler. This method would also be arguably be more secure than sudo as processes don't run with root permission therefore root privileged cannot be gained by exploiting a program. Another situation where having a group based security would be nice is access to privileged ports. Try running JBoss as a non-root user on port 80. -- Mark Bidewell http://www.linkedin.com/in/markbidewell -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Wed, Feb 29, 2012 at 01:41:52PM +0100, Giovanni Campagna wrote: PS: it would be useful to have some GUI tool to configure PolicyKit. Everytime I clean my system I have to dig through dozens of manual pages just to get virt-manager without a password for my user. Once upon a time, there was one, quite useful even: http://farm4.staticflickr.com/3036/2714263023_a1fbfb8f03.jpg (from http://magazine.redhat.com/2008/07/29/whats-next-in-red-hat-enterprise-linux-part-1/ ) -- Tomasz Torcz 72-| 80-| xmpp: zdzich...@chrome.pl 72-| 80-| -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
Hi, On Wed, Feb 29, 2012 at 12:41 PM, Giovanni Campagna scampa.giova...@gmail.com wrote: Il 29 febbraio 2012 13:02, Neal Becker ndbeck...@gmail.com ha scritto: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ FWIW, date/time and network require no authentication (including system-wide things like NTP). Managing printers requires unlock, but printing, installing a new local printer or connecting to mdns / cups browsing network printers does not. I think, last time I did this I had to perform several actions as root - one was firewall related, I also had to install some packages that weren't available by default and configure / discover the network printer. Maybe I will take notes next time and enter a bug, although to be honest I would not expect the sophistication of elegant UI that Torvalds seems to, from Fedora (I have entered bugs on similar niggles in audio config, network manager, gdm etc.). -Cam -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On 02/29/2012 07:46 AM, Mark Bidewell wrote: On Wed, Feb 29, 2012 at 7:36 AM, Emanuel Rietveldcodehot...@gmail.comwrote: On 02/29/2012 01:15 PM, drago01 wrote: On Wed, Feb 29, 2012 at 1:02 PM, Neal Beckerndbeck...@gmail.com wrote: I think he's got a point http://www.osnews.com/story/**25659/Torvalds_requiring_root_** password_for_mundane_things_**is_quot_moronic_quot_http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ Yeah but last time we tried this in fedora it got flamefested so we had to revert. Perhaps a solution is adding a group with the needed permissions and make it really easy to add an account to that group. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.**org/mailman/listinfo/develhttps://admin.fedoraproject.org/mailman/listinfo/devel +1 to this. Many tasks should not require full root permissions to execute. Having a set of groups centered around tasks (install printers, install software, etc.) would definitely make this simpler. This method would also be arguably be more secure than sudo as processes don't run with root permission therefore root privileged cannot be gained by exploiting a program. Another situation where having a group based security would be nice is access to privileged ports. Try running JBoss as a non-root user on port 80. Another +1 to the groups idea. It would enable a simple convenience feature as well: When prompting a user for the root password to do something the first time, include a check-box to add the user to the proper group behind-the-scene (with a warning that user needs to logout/login for change to be effective). Maybe also include a simple management program to enable/disable/display allowed functionality for specific users based on descriptions (i.e. instead of group name - which may be meaningless to a n00b). Kind of like how android permissions look, but with more of a management focus. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Wed, Feb 29, 2012 at 3:56 PM, Chris Evich cev...@redhat.com wrote: On 02/29/2012 07:46 AM, Mark Bidewell wrote: On Wed, Feb 29, 2012 at 7:36 AM, Emanuel Rietveldcodehot...@gmail.com** wrote: On 02/29/2012 01:15 PM, drago01 wrote: On Wed, Feb 29, 2012 at 1:02 PM, Neal Beckerndbeck...@gmail.com wrote: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_http://www.osnews.com/story/**25659/Torvalds_requiring_root_** password_for_mundane_things_is_quot_moronic_quot_http://** www.osnews.com/story/25659/**Torvalds_requiring_root_** password_for_mundane_things_**is_quot_moronic_quot_http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ Yeah but last time we tried this in fedora it got flamefested so we had to revert. Perhaps a solution is adding a group with the needed permissions and make it really easy to add an account to that group. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/develhtt** ps://admin.fedoraproject.org/**mailman/listinfo/develhttps://admin.fedoraproject.org/mailman/listinfo/devel +1 to this. Many tasks should not require full root permissions to execute. Having a set of groups centered around tasks (install printers, install software, etc.) would definitely make this simpler. This method would also be arguably be more secure than sudo as processes don't run with root permission therefore root privileged cannot be gained by exploiting a program. Another situation where having a group based security would be nice is access to privileged ports. Try running JBoss as a non-root user on port 80. Another +1 to the groups idea. It would enable a simple convenience feature as well: When prompting a user for the root password to do something the first time, include a check-box to add the user to the proper group behind-the-scene (with a warning that user needs to logout/login for change to be effective). Maybe also include a simple management program to enable/disable/display allowed functionality for specific users based on descriptions (i.e. instead of group name - which may be meaningless to a n00b). Kind of like how android permissions look, but with more of a management focus. Why not add by default the first user created (right after installation finishes) to administrative group and disable the root account? From my experience (and the feedback I get from users that reach to me as an Ambassador) most users fail to understand why they asked twice for passwords during installation and they tend to use the same on both root and first user password. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Wed, Feb 29, 2012 at 7:41 AM, Giovanni Campagna scampa.giova...@gmail.com wrote: PS: it would be useful to have some GUI tool to configure PolicyKit. Everytime I clean my system I have to dig through dozens of manual pages just to get virt-manager without a password for my user. Actually, I've been hoping that virt-manager would support session://qemu in the UI for a while now. It seems to work fine once you add it manually to gconf. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Wed, 29 Feb 2012, drago01 wrote: On Wed, Feb 29, 2012 at 1:02 PM, Neal Becker ndbeck...@gmail.com wrote: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ Yeah but last time we tried this in fedora it got flamefested so we had to revert. From what I remember permissions were opened up without making it clear this was happening and without an easy way of putting them back, which made things very difficult if you had good reasons for the permissions being locked down. The flamefest was at least in part because things were done badly, leading to the Fedora introduces security holes type of headline. I think the right way to do it is for things to be secure by default, but with easy tools to relax security where appropriate (which could include options to do this during install). Michael Young -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Wed, 2012-02-29 at 07:02 -0500, Neal Becker wrote: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ http://fedoraproject.org/wiki/Releases/FeaturePolicyKit in Fedora 8 onwards, It was revamped in Fedora 12: http://fedoraproject.org/wiki/Features/PolicyKitOne -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Feb 29, 2012, at 5:15 AM, drago01 wrote: On Wed, Feb 29, 2012 at 1:02 PM, Neal Becker ndbeck...@gmail.com wrote: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ My example is mDNS being blocked in the Firewall by default *and* it requires a root password to unblocked it. Completely retarded. Chris Murphy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Feb 29, 2012, at 7:08 AM, Nikos Roussos wrote: Why not add by default the first user created (right after installation finishes) to administrative group and disable the root account? This is, is fact, how Apple has done things circa 1999 with Mac OS X. You can 'su' to root, you can also 'sudo' but you can't literally login as root either in text console or GUI, the account is disabled. And the first user is an 'admin' by default. Chris Murphy-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
The original thread on G+ https://plus.google.com/u/0/102150693225130002912/posts/1vyfmNCYpi5 Enjoy. 2012/2/29 David Malcolm dmalc...@redhat.com: On Wed, 2012-02-29 at 07:02 -0500, Neal Becker wrote: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ http://fedoraproject.org/wiki/Releases/FeaturePolicyKit in Fedora 8 onwards, It was revamped in Fedora 12: http://fedoraproject.org/wiki/Features/PolicyKitOne -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Nelson Marques // I've stopped trying to understand sandwiches with a third piece of bread in the middle... -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
Once upon a time, M A Young m.a.yo...@durham.ac.uk said: From what I remember permissions were opened up without making it clear this was happening and without an easy way of putting them back, which made things very difficult if you had good reasons for the permissions being locked down. The flamefest was at least in part because things were done badly, leading to the Fedora introduces security holes type of headline. Yes, that was more-or-less what happened. People realized that the system time could be changed by any desktop user, and that the time is a pretty critical thing for security (cron jobs, logging, time-of-day access, etc.). The change had not been documented anywhere and was the default. I think the right way to do it is for things to be secure by default, but with easy tools to relax security where appropriate (which could include options to do this during install). IMHO the defaults in the standard packages should be strict, and then desktop spins could add additional PK configs to loosen up where desired (with docs to match). This would have the added advantages of making it more obvious what was loosened up as well as giving examples on how to customize things. I will agree that some of the defaults are annoying though; somehow my system (possibly through my own uninformed configuration) prompts me for passwords three times when trying to add a printer (once to turn off blocking in the firewall when I'm not even running a firewall, once to load printer info, and then once to actually add a printer). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
Nikos Roussos wrote: On Wed, Feb 29, 2012 at 3:56 PM, Chris Evich cev...@redhat.com wrote: On 02/29/2012 07:46 AM, Mark Bidewell wrote: On Wed, Feb 29, 2012 at 7:36 AM, Emanuel Rietveldcodehot...@gmail.com** wrote: On 02/29/2012 01:15 PM, drago01 wrote: On Wed, Feb 29, 2012 at 1:02 PM, Neal Beckerndbeck...@gmail.com wrote: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_http://www.osnews.com/story/**25659/Torvalds_requiring_root_** password_for_mundane_things_is_quot_moronic_quot_http://** www.osnews.com/story/25659/**Torvalds_requiring_root_** password_for_mundane_things_**is_quot_moronic_quot_http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ Yeah but last time we tried this in fedora it got flamefested so we had to revert. Perhaps a solution is adding a group with the needed permissions and make it really easy to add an account to that group. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/develhtt** ps://admin.fedoraproject.org/**mailman/listinfo/develhttps://admin.fedoraproject.org/mailman/listinfo/devel +1 to this. Many tasks should not require full root permissions to execute. Having a set of groups centered around tasks (install printers, install software, etc.) would definitely make this simpler. This method would also be arguably be more secure than sudo as processes don't run with root permission therefore root privileged cannot be gained by exploiting a program. Another situation where having a group based security would be nice is access to privileged ports. Try running JBoss as a non-root user on port 80. Another +1 to the groups idea. It would enable a simple convenience feature as well: When prompting a user for the root password to do something the first time, include a check-box to add the user to the proper group behind-the-scene (with a warning that user needs to logout/login for change to be effective). Maybe also include a simple management program to enable/disable/display allowed functionality for specific users based on descriptions (i.e. instead of group name - which may be meaningless to a n00b). Kind of like how android permissions look, but with more of a management focus. Why not add by default the first user created (right after installation finishes) to administrative group and disable the root account? From my experience (and the feedback I get from users that reach to me as an Ambassador) most users fail to understand why they asked twice for passwords during installation and they tend to use the same on both root and first user password. I don't think it really matters that they use the same password for both. Only that some password is asked for to do any admin stuff. That way, a trojan can't easily trash your system. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On 02/29/2012 08:46 AM, David Malcolm wrote: On Wed, 2012-02-29 at 07:02 -0500, Neal Becker wrote: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ http://fedoraproject.org/wiki/Releases/FeaturePolicyKit in Fedora 8 onwards, It was revamped in Fedora 12: http://fedoraproject.org/wiki/Features/PolicyKitOne And (on Fedora 16), it still asks for the root password to add a printer. http://ponzo.net/PolKit-printer/ -Scott -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Wed, 2012-02-29 at 10:09 -0700, Chris Murphy wrote: On Feb 29, 2012, at 5:15 AM, drago01 wrote: On Wed, Feb 29, 2012 at 1:02 PM, Neal Becker ndbeck...@gmail.com wrote: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ My example is mDNS being blocked in the Firewall by default *and* it requires a root password to unblocked it. Completely retarded. Except that mDNS is a real security issue (because you can hijack name resolution quite easily with it). That said I understand your pain and the realize the current solution is not ideal for the casual user. Maybe we should have 2 security profiles (lax and strict) that you can choose at install time so that people can choose what they like best. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Feb 29, 2012, at 3:51 PM, Simo Sorce wrote: On Wed, 2012-02-29 at 10:09 -0700, Chris Murphy wrote: My example is mDNS being blocked in the Firewall by default *and* it requires a root password to unblocked it. Completely retarded. Except that mDNS is a real security issue (because you can hijack name resolution quite easily with it). Fair enough but then I'd argue mDNS's present method of dealing with hijacking. If two clients respond with the same name, it seems that all other clients on the network should blacklist both clients rather than trusting the one that answers first. Disabling it entirely is the granularity of a large hammer. mDNS is still much more useful than not useful, and more useful than statistically risky, despite being highly spoofable. That said I understand your pain and the realize the current solution is not ideal for the casual user. Maybe we should have 2 security profiles (lax and strict) that you can choose at install time so that people can choose what they like best. I was under the impression F17 was going to have a different firewall, such that mDNS was going to be enabled if a service, such as sshd, was enabled and also has an Avahi service listing. Or something like that. Chris Murphy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Wed, 29.02.12 17:51, Simo Sorce (s...@redhat.com) wrote: On Wed, 2012-02-29 at 10:09 -0700, Chris Murphy wrote: On Feb 29, 2012, at 5:15 AM, drago01 wrote: On Wed, Feb 29, 2012 at 1:02 PM, Neal Becker ndbeck...@gmail.com wrote: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ My example is mDNS being blocked in the Firewall by default *and* it requires a root password to unblocked it. Completely retarded. Except that mDNS is a real security issue (because you can hijack name resolution quite easily with it). Can you? How so? Sure, you can muck with the .local domain, since that's the mDNS domain, but hey, if you are stupid enough to trust the .local domain in insecure networks, then it is your own fault, as the suffix .local kinda comes with this big implied label of HEY! THIS DOMAIN IS RESOLVED FROM DATA MULTICASTED ON THE LOCAL LINK. Lennart -- Lennart Poettering - Red Hat, Inc. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Wed, 29.02.12 16:08, Chris Murphy (li...@colorremedies.com) wrote: On Feb 29, 2012, at 3:51 PM, Simo Sorce wrote: On Wed, 2012-02-29 at 10:09 -0700, Chris Murphy wrote: My example is mDNS being blocked in the Firewall by default *and* it requires a root password to unblocked it. Completely retarded. Except that mDNS is a real security issue (because you can hijack name resolution quite easily with it). Fair enough but then I'd argue mDNS's present method of dealing with hijacking. If two clients respond with the same name, it seems that all other clients on the network should blacklist both clients rather than trusting the one that answers first. Disabling it entirely is the granularity of a large hammer. mDNS is still much more useful than not useful, and more useful than statistically risky, despite being highly spoofable. mDNS is supposed to just work. Zeroconf and stuff. Just going into black hole mode if somebody has the same name as you is a great way to work against that. And would open us to DoS anyway. It's your own fault to believe mDNS was trustable if the network you use it on isn't trusted. mDNS is not a secure, nor a reliable protocol. Never has been, never will be. Use it if you trust your network. If you don't trust your network, then don't use, and don't resolve names from the .local domain. mDNS is very much in the same boat as DHCP here. If you are stupid enough to trust DHCP data that some random server on your network sends you, then you should be totally fine with mDNS too. Lennart -- Lennart Poettering - Red Hat, Inc. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Thu, 2012-03-01 at 00:17 +0100, Lennart Poettering wrote: On Wed, 29.02.12 17:51, Simo Sorce (s...@redhat.com) wrote: On Wed, 2012-02-29 at 10:09 -0700, Chris Murphy wrote: On Feb 29, 2012, at 5:15 AM, drago01 wrote: On Wed, Feb 29, 2012 at 1:02 PM, Neal Becker ndbeck...@gmail.com wrote: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ My example is mDNS being blocked in the Firewall by default *and* it requires a root password to unblocked it. Completely retarded. Except that mDNS is a real security issue (because you can hijack name resolution quite easily with it). Can you? How so? Sure, you can muck with the .local domain, since that's the mDNS domain, but hey, if you are stupid enough to trust the .local domain in insecure networks, then it is your own fault, as the suffix .local kinda comes with this big implied label of HEY! THIS DOMAIN IS RESOLVED FROM DATA MULTICASTED ON THE LOCAL LINK. Yeah unfortunately there are a ton of sites that use the .local suffix for their local domain for example. Some predate mDNS hijacking of it for 'untrusted local stuff'. Also you should really define 'You' here. Because the issue is that mDNS in Fedora is inserted by default in the hosts database and IIRC before DNS, so it get a chance to always reply before a DNS query is made. This of course makes sense for its uses, why ask the DNS if you know this is a .local name that the DNS should not know about ? But most applications do not treat random host names in any special way, so it is hard to cast blame or stupidity on an application developer for not checking the suffix of the host name they are connecting to. All that said I am not casting any blame, just saying why disabling it is not just a stupid idea but have a reason. We may not agree with the reason or consider it an over-reaction to the threat or whatever other consideration. That's a separate discussion I think. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
Il 29 febbraio 2012 23:51, Simo Sorce s...@redhat.com ha scritto: On Wed, 2012-02-29 at 10:09 -0700, Chris Murphy wrote: On Feb 29, 2012, at 5:15 AM, drago01 wrote: On Wed, Feb 29, 2012 at 1:02 PM, Neal Becker ndbeck...@gmail.com wrote: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ My example is mDNS being blocked in the Firewall by default *and* it requires a root password to unblocked it. Completely retarded. Except that mDNS is a real security issue (because you can hijack name resolution quite easily with it). Is it really any worse that real DNS spoofing? I mean, it is as easy to reply fake data to a unicast DNS request, if I'm on the same subnet (and thus can pretend to be the DNS server). The same protections should be used, that is DNSSEC and end-to-end authentication (SSH, TLS). This still leaves the real mdns area unprotected, but this is to be expected, and it's just an UI issue (that could be resolved once network zones land). Just my 2e-2. Giovanni -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Thu, 2012-03-01 at 00:51 +0100, Giovanni Campagna wrote: Il 29 febbraio 2012 23:51, Simo Sorce s...@redhat.com ha scritto: On Wed, 2012-02-29 at 10:09 -0700, Chris Murphy wrote: On Feb 29, 2012, at 5:15 AM, drago01 wrote: On Wed, Feb 29, 2012 at 1:02 PM, Neal Becker ndbeck...@gmail.com wrote: I think he's got a point http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ My example is mDNS being blocked in the Firewall by default *and* it requires a root password to unblocked it. Completely retarded. Except that mDNS is a real security issue (because you can hijack name resolution quite easily with it). Is it really any worse that real DNS spoofing? I mean, it is as easy to reply fake data to a unicast DNS request, if I'm on the same subnet (and thus can pretend to be the DNS server). The same protections should be used, that is DNSSEC and end-to-end authentication (SSH, TLS). This still leaves the real mdns area unprotected, but this is to be expected, and it's just an UI issue (that could be resolved once network zones land). I am a big fan of network zones, it simplifies the concept for naive users in a way that makes it usable. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Torvalds:requiring root password for mundane things is moronic
On Thu, 1 Mar 2012, Giovanni Campagna wrote: The same protections should be used, that is DNSSEC and end-to-end authentication (SSH, TLS). This still leaves the real mdns area unprotected, but this is to be expected, and it's just an UI issue (that could be resolved once network zones land). One good use that can be made with DNSSEC is that you can broadcast you security chain from DNSSEC. My laptop can announce itself as pwouters.redhat.com. It will announce the DNS chain from com to redhat.com to pwouters.redhat.com. The other person, let's say john.foobar.com produces the DNS chain from com to foobar.com to john.foobar.com. Now each party can, with just the preloaded root dns key, obtain a cryptographic identity based on a simple identifier (hostname). We can connect our laptops, or phones, simply by saying my laptop is pwouters.redhat.com. We could even do this without having any internet connection, exchange public keys, and setup an IPsec tunnel between our machines/phones, and only then transfer our personal data. We only need some people to write and submit an IETF draft for this :) (AFAIK, people were already working on standarising dnssec blobs for use in embedding them in certificates, eg Adam Langley and Dan Kaminsky) Paul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
