[Novalug] GUI root

Bryan J Smith b.j.smith@ieee.org
Thu May 28 17:48:21 EDT 2015


IPA Server?
Or just SSSD + IPA Client?

I've seen a lot of distros try, and fail, despite a lot of Upstream assist
offers from the projects. A lot of it has to do with the past SSSD and
NSS/389 apathy, or just flat out ignorance.

I.e., it's hard for a distro to get adoption and testing when the users who
have even heard of it often displaying total apathy to a technology.

Even today, when I talk about AD Forest trusts in IPAv3+, 4 out of 5
alleged Linux experts say, "Oh, I just use Samba," telling me they dont
know jack. And maybe 1 of those 4 will know of Winbindd too, but not
understand the greater issues.

Heck, even AD fundamentals (e.g., DLGs v. Security Groups) aren't well
proliferated, which is where nearly all the complexity comes from.

-- bjs

DISCLAIMER: Sent from phone, please excuse any typos
-- 
Bryan J Smith - Technology Mercenary
b.j.smith@ieee.org - http://linkedin.com/in/bjsmith

On May 28, 2015 5:17 PM, "Derek LaHousse" <dlahouss@mtu.edu> wrote:

> <troll>
> Passwords?  Weren't those hip around... 95?  I prefer to keep my token
> in the kernel keyring, and when escalated privileges are required, I
> go to my ticket-granting server and ask for a user/admin ticket.
> Of course, I protect that exchange with an OTP preauth.  It's easy for
> me, because I use freeIPA (trumpets of fanfare in background)
> </troll>
>
> But for something serious to not make this a totally wasted email:
> freeIPA is in Debian Sid.
>
> And I'd like to plus-one the idea of delegating tasks with sudo, but
> using "su" at home to separate the all-powerful root from day-to-day
> user.
>
> On Thu, May 28, 2015 at 4:33 PM, John Franklin <franklin@elfie.org> wrote:
> > MLS is fine for linear / lightly hierarchical security models (e.g.,
> classification levels with optional categories), but doesn't map well to
> most general system administration tasks.  You'd be better off using type
> enforcement, which is the first MAC policy that SELinux implemented.
> >
> > Sudo is (IMHO) more secure because you can grant or revoke sudo access
> for individual users on individual machines.  Otherwise, you need to use
> the same root password on many machines and resetting it becomes very
> disruptive to an organization larger than two or three admins.
> >
> > Of course, you should NEVER use either, and instead manage everything
> with chef or puppet.
> >
> > jf
> >
> > On May 28, 2015, at 4:17 PM, Derek LaHousse via Novalug <
> novalug@firemountain.net> wrote:
> >
> >> For those less versed in the acronyms of computer security, MLS is
> >> Multi-Level Security.
> >> http://en.wikipedia.org/wiki/Multilevel_security
> >>
> >>
> >>
> >> On Thu, May 28, 2015 at 3:36 PM, Bryan J Smith via Novalug
> >> <novalug@firemountain.net> wrote:
> >>> On Thu, May 28, 2015 at 3:33 PM,  <covici@ccs.covici.com> wrote:
> >>>> I wonder, is sudo more of a security risk than using su?  I have
> always
> >>>> thought that if you use su, you need another password so that is
> safer.
> >>>
> >>> Again, there are endless debates on this issue in general.
> >>>
> >>> Of course, you can always implement SELinux in MLS mode, for a
> >>> completely "deeper" perspective.  And you can easily lock yourself out
> >>> of your system too!  ;)
> >>>
> >>> -- bjs
> >>> **********************************************************************
> >>> The Novalug mailing list is hosted by firemountain.net.
> >>>
> >>> To unsubscribe or change delivery options:
> >>> http://www.firemountain.net/mailman/listinfo/novalug
> >> **********************************************************************
> >> The Novalug mailing list is hosted by firemountain.net.
> >>
> >> To unsubscribe or change delivery options:
> >> http://www.firemountain.net/mailman/listinfo/novalug
> >
> > --
> > John Franklin
> > franklin@elfie.org
> >
> >
> >
>



More information about the Novalug mailing list