[redhat-lspp] LSPP Development Telecon 04/10/2006 Minutes

Mon Apr 17 15:08:46 UTC 2006

On 4/17/06, Steve Grubb <sgrubb at redhat.com> wrote:
> On Monday 17 April 2006 10:39, Russell Coker wrote:
> > On Mon, 2006-04-17 at 10:21 -0400, Steve Grubb wrote:
> > > On Monday 17 April 2006 09:24, Russell Coker wrote:
> > > > However audit administration requires root access, so now it seems to
> > > > me that we have a need for three accounts with UID==0, one for sysadm,
> > > > one for secadm, and one for auditadm.
> > >
> > > Accounts or roles ? :)
> >
> > So far we only have the option of passwords on accounts.
>
> Right...but we could add another database if its truly needed to solve the
> problem.
>
> > > I think so, but I also wonder if we need another password database for
> > > roles. For example, groups can have passwords. There may be situations
> > > where we need separate passwords for each of the roles.
> >
> > So you are suggesting something like the following:
> > login: root:staff_r:staff_t - password A.
> > newrole -r secadm_r - password B
> > newrole -r sysadm_r - password C
> > newrole -r auditadm_r - password D
> >
> > login: root:secadm_r:secadm_t - password B I guess?
>
> No quite. I'm thinking of logging in as root which gets the default role
> sysadm_r. roots password is sufficient for this. Then use newrole to change
> to secadm_r or auditadm_r, which will prompt for a role's password. newrole
> (via pam) will query the role password database.
>

In the case of remote administration where logging in as root may be
prohibited (and usage of 2 factor authentication is wanted) would the
process be something like?

login as user
  equivalent of sudo to root [the ever popular sudo /bin/bash]
  newrole to secadm_r with new passwd?

or something like

login as user
  sudo -r secadm_r /bin/bash [with 2 password prompts, one for the
root user, and the second for the role?]

--
Stephen J Smoogen.
CSIRT/Linux System Administrator