'Re: [security-discuss] [desktop-discuss] requirement for'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensolaris-security-discuss
Subject:    Re: [security-discuss] [desktop-discuss] requirement for
From:       Brian Cameron <Brian.Cameron () Sun ! COM>
Date:       2007-08-18 3:10:21
Message-ID: 46C70625.6010800 () sun ! com
[Download RAW message or body]


Glenn:

>> - I need to know how to log in as root and configure RBAC first?  Or
>>   is there some fancy RBAC editor that makes editing RBAC easy?
>>   There is a chicken-and-egg thing.  How do we make editing RBAC
>>   easy when you need privilege to edit the RBAC configuration files?
> 
> The JDS Users and Groups tool has this functionality. Select a user, 
> click Properties, then pick the User privileges tab. Select "Maintenance 
> and Repair" and the relevant authorizations are assigned to the user. By 
> the way, the term "privileges" is not used correctly in this tab. It 
> should be "Rights".

How would the newbie user know that this is what they need to do in
order to be able to configure their system.  Perhaps programs like
gnome-system-tools should pop-up a dialog and explain to users that
they need to setup their RBAC configuration before gnome-system-tools
becomes useful, and explain keys like "Maintenance and Repair".  Or
do we think that users will learn about RBAC in some other way?

> The SMC is the official tool for managing RBAC and provides GUIs for 
> essentially all operations. The GUIs themselves require authorization, 
> so the SMC supports delegation of authorizations and rights. Of course, 
> I realize people don't want to use the SMC, but it is the GUI which is 
> evaluated in our Common Criteria certifications.

I am glad to hear that we do have some GUI solution with SMC.  I do think
that we need to spend more time doing looking at the usability of this.
Setting up and configuring a system in a way that makes effective use
of RBAC should be as simple, clear, and straightforward as possible.  I
am not sure that we are there yet.

>> - Because I'm the console user I just have permissions?
> If you don't want to use RBAC, you can just consider console ownership 
> to be an implicit authorization. But, as Darren stated, that isn't 
> appropriate in all cases. Consider a kiosk, for example. Why should the 
> guest account be able to shutdown the system?

I'm a bit confused.  If RBAC can be configured, why can't a "Console"
role be created and this role can be configured to allow shutdown or
not, as appropriate?  You seem to be suggesting that console ownership
as an implicit authorization could only be managed outside of RBAC.

>> - I am prompted for a root/role password to get permissions temporarily.
> Take a closer look at Trusted JDS. This is now part of Solaris, and the 
> RBAC features could be enabled in Solaris without depending on labeling. 
> We have a Trusted Path for changing passwords and assuming roles. The 
> role could be assigned the Maintenance and Repair right profile, instead 
> of the normal user. Roles get their own JDS workspaces.
> 
> FYI, if you choose to ignore TX, you will probably get a P1 bug assigned 
> to you to fix whatever damage you cause.

Note that some tools in the JDS stack use gksu, which does ask for root
password today in order to do various configuration settings.  I'm
guessing this sort of functionality is disabled in a TX environment?
But Solaris already does have some solutions in place that work this way.

This "ask for password" solution has some appeal since this is how things
work currently in MacOS, Linux, etc..  Therefore, many end users are familiar
with this approach to gaining privilege to do configuration changes.

That said, I do think the RBAC approach is more secure and better
designed.  However, it does seem to be lacking in some areas.  How does
the new user know how to set up RBAC or even that they need to?  Do
the GUI's we provide for editing RBAC have common use-cases in
mind.  For example, if I run the SMC RBAC editor, then  do I see a
simple "I am a single user on a laptop and I want a reasonable set
of privileges for the kind of use I am" button (along with other
common use cases)?

If not, then how would the user know which privileges to set up to be
able to do basic system configuration tasks or to really understand
what checking "Maintenance and Repair" really does.

>> Perhaps the right answer is case-by-case.  I think some permissions
>> such as shutdown make sense for any console user, at least as a default
>> that can be changed if people don't want console users to have this
>> authority.
>>
>> However, Solaris should have some strategy for allowing normal desktop
>> users the ability to manage their systems without needing to know how
>> to modify RBAC ASCII files.  No?  Ideas?
 >
> The JDS Users and Groups tool is barely adequate. SMC is part of 
> Solaris. At the very least it should be studied for its current 
> usability. It is actually quite good, but it is not  maintained very well.

I agree.  I think Solaris would really benefit from some usability
attention with an eye towards providing solutions towards common use
cases.

We can also think about how we could make configuring RBAC more simple
for various tools.  Does it make sense to have a Console role?  We've
talked about this some, and there seems to be some debate.  Also, should
we add some new roles to make it easier to turn on features needed by
certain programs, like gnome-system-tools.  This way a user would only
need to check one role rather than 4 to enable the various features
that this tool needs.

Brian

_______________________________________________
security-discuss mailing list
security-discuss@opensolaris.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic