Re: [opensuse] Re: Should openSUSE review it's Security Policies?



On Thu, 2012-03-01 at 11:30 +0100, Marcus Meissner wrote:
On Thu, Mar 01, 2012 at 11:27:36AM +0100, Roger Oberholtzer wrote:
On Thu, 2012-03-01 at 08:59 +0100, lynn wrote:
On 03/01/2012 08:38 AM, Roger Oberholtzer wrote:
On Thu, 2012-03-01 at 00:17 +0100, jdd wrote:
Le 29/02/2012 21:27, Roger Oberholtzer a écrit :

I think the issue is fine-grained permissions.


read man sudoer


* What fine-grained activities currently limited to root could have
configurable access. Like my favorite: network broadcasts.

Hi
Sorry to interfere, but Is that Wireshark? On ubuntu you can launch it
as a user. On openSUSE only root can launch it. Or at least I've not
found a way to do it.

It is software and, more importantly, libraries provided by equipment
vendors. For example, these companies provide SDKs for Linux that have
as part of their procedure the desire to do a network broadcast to
locate things:

SICK AG
(http://www.sick.com)

JAI A/S
(http://www.jai.com/en/)

Allied Vision Technologies
(http://www.alliedvisiontec.com/emea/home.html)

Basler
(http://www.baslerweb.com)

LMI Selcom
(http://www.lmi3d.com/)

There are many more. They too complain that Linux sometimes makes it
more difficult to implement transducer queries than 'the other OS'.
Their techniques are similar to mDNS and such things.

I would use these in my application, as one does. I do NOT repeat NOT
want to run measurement software as root just to satisfy this need.

But this is not really related to the topic of Desktop security that Linus
was mostly ranting about.

Well, these suppliers provide, quite often, QT apps that allow one to
configure their devices. They need to first locate them. A network
broadcast is what they would like to do. Except on Linux this requires
root permissions. So, the user mode gui that is going to configure an
external device (not the local Linux system really) is prevented from
doing so because broadcasts are limited to root.

Different situation. But caused by the exact same core issue. I thought
it was relevant because if one focuses on making the squeaky wheel
desktop apps work, the root problem (pun intended) remains. What is
needed is a general approach to these permissions.

As to the printer things: isn't it mainly configuration file access that
is the problem? Why not an lpadmin group to which users could be added,
and that the changeable files and directories would belong? In much the
same way /dev access is controlled.



Yours sincerely,

Roger Oberholtzer

OPQ Systems / Ramböll RST

Office: Int +46 10-615 60 20
Mobile: Int +46 70-815 1696
roger.oberholtzer@xxxxxxxxxx
________________________________________

Ramböll Sverige AB
Krukmakargatan 21
P.O. Box 17009
SE-104 62 Stockholm, Sweden
www.rambollrst.se


--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx