[redhat-lspp] LSPP Development Telecon 04/10/2006 Minutes
Chad Hanson
chanson at TrustedCS.com
Mon Apr 17 15:06:41 UTC 2006
Another thing to remember is that for a certified configuration, no one ever
logs in directly as root. The scenario is closer to below:
Login in as admin user -> newrole to desired role, su to root as needed
-Chad
> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb at redhat.com]
> Sent: Monday, April 17, 2006 9:59 AM
> To: redhat-lspp at redhat.com
> Cc: Debora Velarde; Russell Coker
> Subject: Re: [redhat-lspp] LSPP Development Telecon 04/10/2006 Minutes
>
>
> On Monday 17 April 2006 10:39, Russell Coker wrote:
> > On Mon, 2006-04-17 at 10:21 -0400, Steve Grubb wrote:
> > > On Monday 17 April 2006 09:24, Russell Coker wrote:
> > > > However audit administration requires root access, so
> now it seems to
> > > > me that we have a need for three accounts with UID==0,
> one for sysadm,
> > > > one for secadm, and one for auditadm.
> > >
> > > Accounts or roles ? :)
> >
> > So far we only have the option of passwords on accounts.
>
> Right...but we could add another database if its truly needed
> to solve the
> problem.
>
> > > I think so, but I also wonder if we need another password
> database for
> > > roles. For example, groups can have passwords. There may
> be situations
> > > where we need separate passwords for each of the roles.
> >
> > So you are suggesting something like the following:
> > login: root:staff_r:staff_t - password A.
> > newrole -r secadm_r - password B
> > newrole -r sysadm_r - password C
> > newrole -r auditadm_r - password D
> >
> > login: root:secadm_r:secadm_t - password B I guess?
>
> No quite. I'm thinking of logging in as root which gets the
> default role
> sysadm_r. roots password is sufficient for this. Then use
> newrole to change
> to secadm_r or auditadm_r, which will prompt for a role's
> password. newrole
> (via pam) will query the role password database.
>
> > Keeping in mind that different login methods (/bin/login,
> sshd, and gdm)
> > can have different sets of permitted roles and different
> orders for such
> > roles there's a lot of potential for confusion.
>
> I think we should keep it simple. Login as root -> default
> role. Then change
> to what you need with newrole.
>
> > Also this sort of thing would demand poly-instantiated home
> directories
> > (not that it's an inherently bad thing, just something that
> needs to be
> > done).
>
> That should be solved with pam_namespace. We should have
> another iteration of
> it out in the next day or two.
>
>
> > Also where would we store such role passwords? /etc/rshadow?
>
> Possibly. I think we should determine if this is desirable
> and necessary
> first. I have a feeling it is, but Klaus is a better judge of that.
>
> -Steve
>
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
>
More information about the redhat-lspp
mailing list