[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-usability
Subject: Some thoughts upon system "security"
From: Luke Sandell <sandell () freeshell ! org>
Date: 2004-01-07 16:28:33
Message-ID: 200401071128.33078.sandell () freeshell ! org
[Download RAW message or body]
I am making this post, albeit somewhat off-topic, because of some observations
I've made of the relationship between the GNU/Linux security model and the
issues recently discussed on this list, especially dealing with KControl.
Here is one example:
On Sunday 04 January 2004 10:21 am, William Leese wrote:
> - Some KCM's in System Administration need to be moved into other
> categories, simply because a user expects to be able to change them at a
> certain location and doesn't care about whether they need root or not.
The original reason, in my estimation, for having things like a "System
Admistration" category is that certain basic tasks pedantically insist on
requiring root access. While it is a good and noble to require root access
to change the time and date on server systems, and also network-managed
systems, this is simply not practical on a home desktop. That is why I am
proposing discussing giving more privileges to the user.
Since it would be _impossible_ to actually change the existing security model
of UNIX, what may be useful in the short-run is to create a _daemon_ that
runs as root, which can be invoked by KDE and other desktops, which provides
services to users who belong to a certain group(s) (IP admins, users) to
change some settings normally reserved for root. What priviliges they are
given should be determined by what group they are in.
When the user is forced to input his/her password to do basic tasks like
changing the time or adding / removing software, it actually _decreases_ the
amount of security in the following ways:
1. Users who may not even need a password to *log in* need to know the root
password to do basic administration tasks. This means that they are more
likely to do damage to the system.
2. Having a system frequently request the root password causes more
opportunities for Trojan Horses to obtain that password and do damage to the
system.
Therefore, for starters I propose that the following tasks be available, to at
least _some_ nonroot users:
1. Adding / removing software via an established method, such as RPM.
2. Adding / removing a printer.
3. Changing the system time and date.
4. Adding / configuring hardware??
5. Adding / removing fonts.
7. Shutting down the system without KDM.
8. Adding / removing groups and users.
How would one prevent malicious programs from running with these privliges? By
only having only programs with running with a certain uid/gid be able to
access the daemon. These programs could only be run by the users in the
admin group, and they would be run setuid/gid. The program should have a
notice so the user knows it is an administrative program. Also, these
programs should not be accessible via the command line, dcop, d-bus, or any
other automated system.
Note that this is just one solution. Not everybody would have to subscribe to
it.
Please tell me what your take on this is.
Sincerely,
Luke Sandell
_______________________________________________
kde-usability mailing list
kde-usability@mail.kde.org
https://mail.kde.org/mailman/listinfo/kde-usability
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic