[Freedombox-discuss] Dev: Granting Users Service Access?
Hi folks, did we ever arrive at a consensus on a general solution to the
user-level password storage/accounts (see the "Kerberos and remctl"
discussion in September)? I'm looking into a similar question: how do
we safely grant different users access to multiple services on the box?
Please let me know if I'm missing some basic information or
understanding here, and I'll get back to researching. I'm worried that
I might be conflating two different, independent, concerns here.
There are two basic approaches, both of which seem to have their
1. Keep user accounts separate for each service, let each service handle
logins and user accounts. For example, if I hosted a XMPP and Wiki
service on my box, users would have separate logins for each of
This is bad because it duplicates logins and asks each service to
handle logins on its own. If you're running five services on your
box, chances are good that at least one of them is putting your login
information at risk.
This is good because it keeps your service level login separate from
the system level login. Specific user accounts can't put the system
at risk because they don't exist in the system.
2. Tie service logins into the system-level logins. For example, if I
hosted an XMPP and Wiki service on my box, users would also have a
system (shell) level login that each service looked to for
This is bad because it hands malicious users a shell-level account.
We could attempt to close that hole with the nologin shell, but it
still feels dangerous. It also requires us to use services that can
pass authentication off to other login services (see LDAP).
This is good because it means users will have only a single
password/authentication mechanism to guard. This increases system
security by helping protect users from themselves. This also gives
us a single point to modify and update authentication methods in the
As far as I see it, those are our trade offs: put the user at risk (1)
through foolish service configuration or put the system at risk (2) to
malicious users. I'm leaning more toward option 2 because it *prevents
individual users from engaging in bad password management practices,* but
I'd like to hear if somebody has already thought this through.
This came up because I *really* want to get password storage out of
Plinth. It's fine that it's there now, but it should probably be
removed by 1.0.
(Yay bus rides. Lots of thinking time.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 835 bytes
Desc: not available