Re: root login
On Sun, Apr 27, 2003 at 11:10:48PM +1000, Jeff Waugh wrote:
> <quote who="Sven Luther">
>
> > No, i think your first understanding was right, what i think is that the
> > root needing apps in gnome should be able to work as user (for the allowed
> > users or something) if you are going to forbid to use gnome as root.
>
> The issues are entirely separate. We need a permissions-granting mechanism
> regardless of the status of the GDM option.
Ok, it would be used for package managing systems and such also, too.
But that said, isn't the unix groups exactly such a permission granting
system ?
shutdown would not work this way though, even if you give it group
execution permission and make the user member of that group, it still
checks for root. making it suid root make it happy, but this could cause
security problems. I don't even know if gnome logout use shutdown for
shuting down.
Mmm, if it uses shutdown, and tests for root access before calling it,
then a solution would be to check for shutdown execution right instead.
But as you said, this is no solution.
> > > No, not really. This is not a general solution. Lots of people don't
> > > have sudo installed, let alone use it, let alone know how it works. Is
> > > there even a reasonable sudo *configurator* GUI? Can't find anything in
> > > Debian, which for all intents and purposes means "no". :-)
> >
> > Ok, i understand that it is not the right solution, it would be fixing
> > things for people who know how to do it though. And the lack of sudo
> > configuration GUI is no argument. We only need someone to write it, which
> > is the same thing that is needed for the proper solution.
>
> No, it's not. A general solution would not rely on sudo at all.
Yes, i understand that, and you would be creating yet another user
permission database, isn't it ?
> > > Why not use (and put a pretty / usable face on) existing infrastructure?
> >
> > Which ones ?
>
> su, sudo, pam, other systems in other environments.
Well, personnaly i think that the GDM passing system, for the logout
stuff only, is a nice solution, because it solves any security problem.
GDM runs as root, so it already has all the rights needed to do the
propper shutting down. It even has all the code already in place for
this. The only thing which would be passed from the client to gdm would
be a simple value (shutdown, reboot, normal logout, logout without
relaunching gdm and into the console), which there is no way to exploit.
Any of the other things you propose need some kind of becoming root,
which open the way to potential security problems.
This does not solve the root apps though.
> > I think i have seen in one of the gdm changelogs that the gdm author
> > didn't think such a thing was feasible, don't know the details though.
>
> This has nothing to do with GDM.
Well, the message was about getting some response from the session on
what to do afterward, or getting some error code result from X or
something such, i don't remember exactly. I think this is the same
problem we are having here, but taken from the other side, from the GDM
point of view and not from the gnome point of view. I may be wrong
though, as i don't fully understand the issues involved with gdm.
> > > It also sounds somewhat overblown and unnecessary. You're trying to put
> > > a usable face on a process that most users simply won't care about.
> > > Stupid but relevant point: Ever seen a Mac or Windows user boot a
> > > different kernel? :-)
> >
> > Well, you are falling again into the most users don't need it, so it is
> > not worth it, and anyway, you are wrong, windows has this 'reboot into
> > msdos' thingy, which is comparable in functionality.
> >
> > Also all people who want to use their box for games are often forced to
> > reboot into windows, but i forgot, gnome is now aimed at corporate
> > desktops.
>
> I believe you're wrong, and not focusing on what's actually important. But
> this is all off-topic.
Ok, the rant about gnome aims was a gentle stab, nothing more, i should
have added a smiley or something i was not sure. I think this is, well,
maybe not really of topic, not totally at least, but it is a different
topic, more related to grub, lilo and other boot-loaders, altough it is
something which is part of the whole gnome experience.
But ok, let's focus on the primary issue, which is threefold :
o a way to allow trusted users to run root-privilege configuration
stuff (gdm configurator, package manager frontends, etc.)
o a way to allow a passing administrator to launch the same root
privilege stuff without without login out, by just entering the root
password.
o a way to allow trusted users to shutdown or reboot the box.
The booting into a different boot loader entry is an extension of the
last point, taken from the user view of it, not the technical side.
> > > Anyway, the point is that GNOME needs a general solution to these
> > > problems that is portable and secure.
> >
> > I don't understand the portability problems. I also don't understand the
> > security problems.
> >
> > The point is that there are some apps that need root. These can easily be
> > solved by using sudo, or better yet by creating a group which has the
> > right to modify them, and adding the user to this group. Not a single line
> > of code would need to be modified.
>
> Can you see that these statements do not work well together? Sorry, but if
> don't understand the security/portability issues, nor want to find out about
> them, you're not actually saying anything useful. What you have said not
> correct (it is not a simple issue).
Well, in gnome 1 i could shutdown with one click from the gnome session
using a sudo gshutdown launcher button, something i cannot do anymore.
Why was gshutdown removed ?
I think i understand the security issues, at least somewhat, what i was
saying is i don't understand the ones you are specially speaking about,
and the portability issues ? Do you mean arch portability or underlying
OS portability ? Or something else ?
> > So you could solve this in a transparent way simply by using the right
> > kind of group, and i suppose you would need a group handling GUI for
> > this, but it is a known and working unix solution to this.
>
> A general solution, which this is not, is not that simple. And without a
> general solution, you haven't solved much.
Ok, let me see if i understood you well.
I guess the group thingy is not portable because it will work only on
unix systems, and not on non-group systems, right ? If that is not it,
then i don't understand. Groups have been used for years, err, decades,
to solve this kind of problem on unix system, and are even now used to
be able to mount floppies, burn CDs, play audio, etc. They are the right
solution for the first problem mentioned above, and a group (not sudoer)
management GUI would be a welcome addition to the gnome desktop. It
would cause problems for apps that check if you are root before being
launched though, but again, it is much more secure to run such stuff as
a group as as root. Does the SE Linux folk not do something similar ?
Now, it does cause a problem if you plan to run on an OS that is not
Group aware. But i am not aware of gnome running on such an OS.
Friendly,
Sven Luther
Reply to: