[redhat-lspp] LSPP Development Telecon 04/10/2006 Minutes

Chad Hanson chanson at TrustedCS.com
Mon Apr 17 15:06:41 UTC 2006 

Another thing to remember is that for a certified configuration, no one ever
logs in directly as root. The scenario is closer to below:

Login in as admin user -> newrole to desired role, su to root as needed

-Chad

> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb at redhat.com]
> Sent: Monday, April 17, 2006 9:59 AM
> To: redhat-lspp at redhat.com
> Cc: Debora Velarde; Russell Coker
> Subject: Re: [redhat-lspp] LSPP Development Telecon 04/10/2006 Minutes
> 
> 
> On Monday 17 April 2006 10:39, Russell Coker wrote:
> > On Mon, 2006-04-17 at 10:21 -0400, Steve Grubb wrote:
> > > On Monday 17 April 2006 09:24, Russell Coker wrote:
> > > > However audit administration requires root access, so 
> now it seems to
> > > > me that we have a need for three accounts with UID==0, 
> one for sysadm,
> > > > one for secadm, and one for auditadm.
> > >
> > > Accounts or roles ? :)
> >
> > So far we only have the option of passwords on accounts.
> 
> Right...but we could add another database if its truly needed 
> to solve the 
> problem.
> 
> > > I think so, but I also wonder if we need another password 
> database for
> > > roles. For example, groups can have passwords. There may 
> be situations
> > > where we need separate passwords for each of the roles.
> >
> > So you are suggesting something like the following:
> > login: root:staff_r:staff_t - password A.
> > newrole -r secadm_r - password B
> > newrole -r sysadm_r - password C
> > newrole -r auditadm_r - password D
> >
> > login: root:secadm_r:secadm_t - password B I guess?
> 
> No quite. I'm thinking of logging in as root which gets the 
> default role 
> sysadm_r. roots password is sufficient for this. Then use 
> newrole to change 
> to secadm_r or auditadm_r, which will prompt for a role's 
> password. newrole 
> (via pam) will query the role password database.
> 
> > Keeping in mind that different login methods (/bin/login, 
> sshd, and gdm)
> > can have different sets of permitted roles and different 
> orders for such
> > roles there's a lot of potential for confusion.
> 
> I think we should keep it simple. Login as root -> default 
> role. Then change 
> to what you need with newrole.
> 
> > Also this sort of thing would demand poly-instantiated home 
> directories
> > (not that it's an inherently bad thing, just something that 
> needs to be
> > done).
> 
> That should be solved with pam_namespace. We should have 
> another iteration of 
> it out in the next day or two.
> 
> 
> > Also where would we store such role passwords?  /etc/rshadow?
> 
> Possibly. I think we should determine if this is desirable 
> and necessary 
> first. I have a feeling it is, but Klaus is a better judge of that.
> 
> -Steve
> 
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
>

More information about the redhat-lspp mailing list