[redhat-lspp] LSPP Development Telecon 04/10/2006 Minutes

Steve Grubb sgrubb at redhat.com
Mon Apr 17 14:59:08 UTC 2006 

On Monday 17 April 2006 10:39, Russell Coker wrote:
> On Mon, 2006-04-17 at 10:21 -0400, Steve Grubb wrote:
> > On Monday 17 April 2006 09:24, Russell Coker wrote:
> > > However audit administration requires root access, so now it seems to
> > > me that we have a need for three accounts with UID==0, one for sysadm,
> > > one for secadm, and one for auditadm.
> >
> > Accounts or roles ? :)
>
> So far we only have the option of passwords on accounts.

Right...but we could add another database if its truly needed to solve the 
problem.

> > I think so, but I also wonder if we need another password database for
> > roles. For example, groups can have passwords. There may be situations
> > where we need separate passwords for each of the roles.
>
> So you are suggesting something like the following:
> login: root:staff_r:staff_t - password A.
> newrole -r secadm_r - password B
> newrole -r sysadm_r - password C
> newrole -r auditadm_r - password D
>
> login: root:secadm_r:secadm_t - password B I guess?

No quite. I'm thinking of logging in as root which gets the default role 
sysadm_r. roots password is sufficient for this. Then use newrole to change 
to secadm_r or auditadm_r, which will prompt for a role's password. newrole 
(via pam) will query the role password database.

> Keeping in mind that different login methods (/bin/login, sshd, and gdm)
> can have different sets of permitted roles and different orders for such
> roles there's a lot of potential for confusion.

I think we should keep it simple. Login as root -> default role. Then change 
to what you need with newrole.

> Also this sort of thing would demand poly-instantiated home directories
> (not that it's an inherently bad thing, just something that needs to be
> done).

That should be solved with pam_namespace. We should have another iteration of 
it out in the next day or two.


> Also where would we store such role passwords?  /etc/rshadow?

Possibly. I think we should determine if this is desirable and necessary 
first. I have a feeling it is, but Klaus is a better judge of that.

-Steve

More information about the redhat-lspp mailing list