May 22, 2012

Security or Convenience? Defining a better policy

The openSUSE security concepts have been changed gradually over the years with new tools like PolicyKit, PolKit and its usage in system tools.

It's time now to step back, and review what we have and want.

Marcus and Ludwig from the SUSE security team and myself have discussed over the last weeks a bit and like to open this to a broader round now to get your help defining what needs to be done.

Challenges we face


Administrating a system in a secure way is always balancing the needs and requests of security, convenience and usability.  There's also the additional challenge that upstream projects often have a different view on either of these and therefore make different decisions and influencing upstream projects is quite often a difficult task.

Background

Linus Torvalds in his Google+ rant said:

"I first spent weeks arguing on a bugzilla that the security policy of
requiring the root password for changing the timezone and adding a new
wireless network was moronic and wrong.

I think the wireless network thing finally did get fixed, but the
timezone never did - it still asks for the admin password.

And today Daniela calls me from school, because she can't add the
school printer without the admin password.

...
So here's a plea: if you have anything to do with security in a
distro, and think that my kids (replace "my kids" with "sales people
on the road" if you think your main customers are businesses) need to
have the root password to access some wireless network, or to be able
to print out a paper, or to change the date-and-time settings, ..."

How to continue?


We've collected a couple of use cases for the administration of a
local system at: http://en.opensuse.org/openSUSE:Security_use_cases

For each use case we added a short security evaluation but in most cases don't give a recommendation on what to do.

I now have a call for action: Review and discuss the contents of the wiki page
 using the following questions:

  • Are there any use cases missing?
  • Is there any thing missing in the specific use cases?
  • How can we solve these use cases so that a system is easy to setup for the most common usage scenarios?

Let's do the discussion on the opensuse-factory mailing list, I'll update the document with any improvements. Feel free to enhance it as well.