root password considered harmful, and other security policies. (was Re: Torvalds:requiring root password for mundane things is moronic
Scott Doty
scott at ponzo.net
Wed Mar 7 19:05:26 UTC 2012
On 03/05/2012 07:13 AM, Scott Doty wrote:
> On 03/02/2012 04:16 AM, Tim Waugh wrote:
>> Yes, it's a policy.
>>
>> Also see this bug which I filed nearly two years ago on just this
>> subject:
>> https://bugzilla.redhat.com/show_bug.cgi?id=596711
>>
>> Tim.
>> */
>>
>
> New bug report filed: "security policy: root password needed when it
> shouldn't be".
>
> https://bugzilla.redhat.com/show_bug.cgi?id=799988
>
/etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf
Regarding this situation: turns out that if system-config-printer
doesn't establish proper contact with cups-pk-helper, it will fall back
to a mode that pops up the root password dialogue. In one case, this
was an SELinux issue, where the root dialogue would show up until
setenforce 0. In my case here:
http://ponzo.net/PolKit-printer/
I didn't have SELinux enabled, but I suspect foul play from the
firewall. (I haven't had a chance to birddog this any further, as I'm
recovering from the worst cold I've ever had in my life -- energy has
been waxing and waining.)
But regarding the security _policy_ for adding the networked printer:
it is fine. When everything is working as it is supposed to, and the
user is in the "wheel" group, there is no query for the root password.
It was subtle bugs in the implementation that we were up against.
* * *
There is another matter -- regarding Fedora security policy itself.
There doesn't seem to be one except an implicit BCP, as implemented in
each package. If anything, a policy document would have helped in this
case, because the upstream for cups-pk-helper had said that this was a
Fedora policy issue...it would have been handy to visit a policy
document and see that folks in the "wheel" group should be able to add
printers without root authentication.
Additionally, it would have been helpful to know that the system had
been tested, and worked, as stated in the policy. There was some
confusion about whether or not asking for the root password was a
limitation in the implementation. (As it turns out, the system was
falling back to a mode that required the root password, after failing to
carry out the policy via cups-pk-helper.)
The FESCo ticket that was opened on my behalf was based on the idea that
we were confronting a policy decision, not bugs -- and the idea was to
have "whomever reviews security policy" do a review of these password
dialogues to see if any could be eliminated, esp. the root password
dialogue that kicked off this issue. There is a "Privilege escalation
policy" that can be found here:
http://fedoraproject.org/wiki/Privilege_escalation_policy
This names the qa group as the group to check implementations of policy
-- and names the Fedora Steering Committee as the group to review new
privilege escalation policies.
If there is no objection, I'd like to ask if someone could close
https://fedorahosted.org/fesco/ticket/816 . Another ticket can be
spawned if there is consensus that change in security policy review is
needed.
A hearty "thank you" to everybody who helped. :)
-Scott
More information about the devel
mailing list