FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 10-09-2012, 06:17 PM
Lennart Poettering
 
Default systemd requires HTTP server and serves QR codes

On Tue, 09.10.12 10:31, Matthew Miller (mattdm@fedoraproject.org) wrote:

> On Tue, Oct 09, 2012 at 04:05:10PM +0200, Lennart Poettering wrote:
> > On Tue, 09.10.12 09:49, Matthew Miller (mattdm@fedoraproject.org) wrote:
> > > allowing regular users to do so. (Commonly currently accomplished by making
> > > /var/log/messages owned and readable by the wheel group.)
> > The HTTP thingy is not really how admins should access the logs. They
> > should just use journalctl.
>
> On a related but tangental note: I notice that journalctl allows access to
> members of the admin group by default.

Well, I'd say this differently: we _restrict_ access to "adm", in
contrast to the previous logic where everybody was allowed to read
/var/log/messages and only root /var/log/secure.

> In Fedora for the past few releases
> we've followed the tradition of making "wheel" the admin group -- see
> http://docs.fedoraproject.org/en-US/Fedora/17/html/Installation_Guide/sn-firstboot-systemuser.html
> This is also the case in RHEL 6, so changes here have downstream
> implications.

The way I see this is that "wheel" allows you to *do* privileged things,
but "adm" allows you to *see* privileged things.

Note that "adm" has been widely used for the log purpose on other Linux
distros, most notably Debian and its descendents. On Debian
/var/log/messages defaulted to being private to "adm", and we kinda
wanted to unify things here and though the Debian default is much nicer
than the Fedora default of world-readability of logs, from a security
PoV.

> Could we make that a default on Fedora in addition to adm? (I assume this is
> polkit but can't see it offhand -- hmmm... looks to be hard-coded in the
> source?) I don't really have a strong opinion about whether adm should work
> or not, but wheel should.

Well, we could of course add this as ACL, but I wonder if it wouldn't be
nicer to declare that "adm" is for seeing, and "wheel" for doing as I
suggested above.

> Second, there's a traditional separation between /var/log/secure and
> /var/log/messages. Crucially, the "secure" log may contain
> accidentally-typed user passwords and other privacy-sensitive information.
> How can we do something similar with the systemd journal and
> journalctl?

As mentioned no system messages are user-readable by default in the
journal. We are more secure by default with the journal.

> Ideally, the /var/log/messages data would be available to members of the
> admin group without extra authentication, but seeing the potentially-privacy
> sensitive /var/log/secure should require re-authentication. (As a sysadmin,
> I should be able to safely look at message data with a user looking over my
> shoulder, so I can help them without possibly exposing private information
> about other users on the system.)

Well, honestly the old secure vs. messages split is kinda broken, simply
because old syslog didn't check the originator of messages and hence
unprivileged processes could get have their data spill into the presumed
"secure" logs. Splitting this of based on the "facility" field is fake
securety, and we don't do "fake security" anymore with the journal.

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 06:18 PM
Jonathan Dieter
 
Default systemd requires HTTP server and serves QR codes

On Tue, 2012-10-09 at 20:57 +0300, Panu Matilainen wrote:
> On 10/09/2012 08:39 PM, David Malcolm wrote:
> > On Tue, 2012-10-09 at 20:20 +0300, Panu Matilainen wrote:
> >> On 10/09/2012 08:15 PM, Lennart Poettering wrote:
<snip>
> >>> /usr/lib/locale and /usr/share/locale are 148M of my 434M container
> >>> image, i.e. 35%. I wonder if we could do something about that. Is there
> >>> a way to tell yum not to install any translations, or just translations
> >>> for a certain set of languages?
> >>
> >> Yup, another rpm macro configuration item (this is obviously the default):
> >>
> >> # A colon separated list of desired locales to be installed;
> >> # "all" means install all locale specific files.
> >> #
> >> %_install_langs all
> >
> > Is this something that Anaconda could change, based on the language
> > settings provided by the user in the UI? How well do rpm and yum work
> > if you actually change this config?
> >
>
> Anaconda used to support this, maybe up to RHEL-4 era or thereabouts.
>
> Both rpm and yum work fine with this as such, presto might have to
> revert back to downloading full packages (but I'm not sure about that)

This is correct. Any time we start installing part of a package rather
than the full rpm, presto won't be able to apply the deltarpm and will
fall back to downloading the full packages.

On the other hand, I'm not sure how many people care about deltarpms for
their containers.

Jonathan
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 06:26 PM
Simo Sorce
 
Default systemd requires HTTP server and serves QR codes

On Tue, 2012-10-09 at 20:17 +0200, Lennart Poettering wrote:
> > Could we make that a default on Fedora in addition to adm? (I assume
> this is
> > polkit but can't see it offhand -- hmmm... looks to be hard-coded in
> the
> > source?) I don't really have a strong opinion about whether adm
> should work
> > or not, but wheel should.
>
> Well, we could of course add this as ACL, but I wonder if it wouldn't
> be
> nicer to declare that "adm" is for seeing, and "wheel" for doing as I
> suggested above.
>
What's the point of 2 different groups ?

We have filesystem permissions to determine what a user/group can do,
plus we have selinux on top to enforce in a different way some of these
policies.

What does 2 different groups give you besides confusion ?

Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 06:34 PM
Lennart Poettering
 
Default systemd requires HTTP server and serves QR codes

On Tue, 09.10.12 14:26, Simo Sorce (simo@redhat.com) wrote:

> On Tue, 2012-10-09 at 20:17 +0200, Lennart Poettering wrote:
> > > Could we make that a default on Fedora in addition to adm? (I assume
> > this is
> > > polkit but can't see it offhand -- hmmm... looks to be hard-coded in
> > the
> > > source?) I don't really have a strong opinion about whether adm
> > should work
> > > or not, but wheel should.
> >
> > Well, we could of course add this as ACL, but I wonder if it wouldn't
> > be
> > nicer to declare that "adm" is for seeing, and "wheel" for doing as I
> > suggested above.
> >
> What's the point of 2 different groups ?
>
> We have filesystem permissions to determine what a user/group can do,
> plus we have selinux on top to enforce in a different way some of these
> policies.
>
> What does 2 different groups give you besides confusion ?

Safety? Robustness?

For example, by adding people to "adm" you can allow them to monitor
machines, but when something happens and they want to do things they'd
have to go through "sudo" or "su", thus adding a psychological barrier
so that they don't break things... That means they can watch the machine
just fine, but "rm -rf /" when doing that will have no effect. But they
still can do priviliged things if they feel the need to, after auth.

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 06:57 PM
Matthew Miller
 
Default systemd requires HTTP server and serves QR codes

On Tue, Oct 09, 2012 at 08:17:41PM +0200, Lennart Poettering wrote:
> Well, I'd say this differently: we _restrict_ access to "adm", in
> contrast to the previous logic where everybody was allowed to read
> /var/log/messages and only root /var/log/secure.

Well except they're both not readable in current releases.


> Well, we could of course add this as ACL, but I wonder if it wouldn't be
> nicer to declare that "adm" is for seeing, and "wheel" for doing as I
> suggested above.

I could maybe be brought around to this, but I'm not sure if the confusion
outweighs the gain.

(I think in particular since neither group name is very explanatory, pushing
"adm is read-only administrative" is an uphill battle.)

> > Second, there's a traditional separation between /var/log/secure and
> > /var/log/messages. Crucially, the "secure" log may contain
> > accidentally-typed user passwords and other privacy-sensitive information.
> > How can we do something similar with the systemd journal and
> > journalctl?
> As mentioned no system messages are user-readable by default in the
> journal. We are more secure by default with the journal.

Not if they're not easily split out again for the practical use case I gave.
Another case might be the thing which started this whole thread: exposing
_some_ system messages to localhost via the web interface, but not ones of a
certain level.

> > sensitive /var/log/secure should require re-authentication. (As a
> > sysadmin, I should be able to safely look at message data with a user
> > looking over my shoulder, so I can help them without possibly exposing
> > private information about other users on the system.)
> Well, honestly the old secure vs. messages split is kinda broken, simply
> because old syslog didn't check the originator of messages and hence
> unprivileged processes could get have their data spill into the presumed
> "secure" logs. Splitting this of based on the "facility" field is fake
> securety, and we don't do "fake security" anymore with the journal.

The concern isn't whether messages get _in_ to the /var/log/secure. Think of
it as "/var/log/authpriv" or "/var/log/privacy-sensitive" if that helps.

Also, please consider that "world readable" and "readable to admins without
authentication" aren't the only possible levels.

--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm@fedoraproject.org>
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 07:03 PM
Lennart Poettering
 
Default systemd requires HTTP server and serves QR codes

On Tue, 09.10.12 17:25, Panu Matilainen (pmatilai@laiskiainen.org) wrote:

> >Can I pass this somehow to yum? Or do I have to creat a macro file for
> >this?
>
> You can set it in yum.conf (tsflags=nodocs), but then rpm wont know
> about it (so if you install directly with rpm, it'll still install
> the docs). Putting it in the macro configuration ensures everything
> going through librpm honors it.

This appears very much broken. I just tried to install a container with
the following command line:

yum -y
--setopt=tsflags=nodocs
--setopt=keepcache=0
--installroot=/home/lennart/minimal/install
--nogpg
--releasever=18
'--disablerepo=*'
--enablerepo=fedora
install systemd passwd openssh-server rpm

And this fails when installing gawk with:

...
Installing : shared-mime-info-1.0-5.fc18.x86_64 51/106
Installing : grep-2.14-1.fc18.x86_64 52/106
install-info: No such file or directory for /usr/share/info/grep.info.gz
Installing : gawk-4.0.1-2.fc18.x86_64 53/106
Error unpacking rpm package gawk-4.0.1-2.fc18.x86_64
error: unpacking of archive failed on file /usr/share/man/man1/gawk.1.gz;507472b1: cpio: Missing hard link(s)
Installing : libidn-1.25-3.fc18.x86_64 54/106
error: gawk-4.0.1-2.fc18.x86_64: install failed
install-info: No such file or directory for /usr/share/info/libidn.info.gz
Installing : 1:gmp-5.0.5-3.fc18.x86_64 55/106
Installing : ncurses-5.9-5.20120204.fc18.x86_64
...

Filed as bug https://bugzilla.redhat.com/show_bug.cgi?id=864622

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 07:04 PM
Lennart Poettering
 
Default systemd requires HTTP server and serves QR codes

On Tue, 09.10.12 20:20, Panu Matilainen (pmatilai@laiskiainen.org) wrote:

> >It's 28M of my 434M F18 container image. i.e. 6.5% of the disk space.
> >
> >/usr/lib/locale and /usr/share/locale are 148M of my 434M container
> >image, i.e. 35%. I wonder if we could do something about that. Is there
> >a way to tell yum not to install any translations, or just translations
> >for a certain set of languages?
>
> Yup, another rpm macro configuration item (this is obviously the default):
>
> # A colon separated list of desired locales to be installed;
> # "all" means install all locale specific files.
> #
> %_install_langs all

Seth, any chance we can get this exposed on the yum cmdline somehow? I'd
really like to use this on the yum command line to install a container
with "--installroot", and having to edit the host rpmrc for that really
sucks...

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 07:11 PM
Simo Sorce
 
Default systemd requires HTTP server and serves QR codes

On Tue, 2012-10-09 at 20:34 +0200, Lennart Poettering wrote:
> On Tue, 09.10.12 14:26, Simo Sorce (simo@redhat.com) wrote:
>
> > On Tue, 2012-10-09 at 20:17 +0200, Lennart Poettering wrote:
> > > > Could we make that a default on Fedora in addition to adm? (I assume
> > > this is
> > > > polkit but can't see it offhand -- hmmm... looks to be hard-coded in
> > > the
> > > > source?) I don't really have a strong opinion about whether adm
> > > should work
> > > > or not, but wheel should.
> > >
> > > Well, we could of course add this as ACL, but I wonder if it wouldn't
> > > be
> > > nicer to declare that "adm" is for seeing, and "wheel" for doing as I
> > > suggested above.
> > >
> > What's the point of 2 different groups ?
> >
> > We have filesystem permissions to determine what a user/group can do,
> > plus we have selinux on top to enforce in a different way some of these
> > policies.
> >
> > What does 2 different groups give you besides confusion ?
>
> Safety? Robustness?
>
> For example, by adding people to "adm" you can allow them to monitor
> machines, but when something happens and they want to do things they'd
> have to go through "sudo" or "su", thus adding a psychological barrier
> so that they don't break things... That means they can watch the machine
> just fine, but "rm -rf /" when doing that will have no effect. But they
> still can do priviliged things if they feel the need to, after auth.

you can do the same by allowing sudo cat /var/log/message without
password and requiring the password for anything else.

Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 07:14 PM
Toshio Kuratomi
 
Default systemd requires HTTP server and serves QR codes

On Tue, Oct 09, 2012 at 08:17:41PM +0200, Lennart Poettering wrote:
> On Tue, 09.10.12 10:31, Matthew Miller (mattdm@fedoraproject.org) wrote:
>
> > On a related but tangental note: I notice that journalctl allows access to
> > members of the admin group by default.
>
> Well, I'd say this differently: we _restrict_ access to "adm", in
> contrast to the previous logic where everybody was allowed to read
> /var/log/messages and only root /var/log/secure.
>
[snip]
> than the Fedora default of world-readability of logs, from a security
> PoV.
>
A bit of a tangent but.... AFAICT, /var/log/messages has been 0600 root:root
for quite a while. So it's more correct to talk about how changes have
opened up /var/log/messages to a group than how it's closed off a world
readable file. Do your fresh installs show something different?

> > Could we make that a default on Fedora in addition to adm? (I assume this is
> > polkit but can't see it offhand -- hmmm... looks to be hard-coded in the
> > source?) I don't really have a strong opinion about whether adm should work
> > or not, but wheel should.
>
> Well, we could of course add this as ACL, but I wonder if it wouldn't be
> nicer to declare that "adm" is for seeing, and "wheel" for doing as I
> suggested above.
>
If so... usually people want to look at doing as a superset of seeing. We
talk about read-only vs read-write a lot more than read-only vs write-only.

-Toshio
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 07:14 PM
Seth Vidal
 
Default systemd requires HTTP server and serves QR codes

On Tue, 9 Oct 2012, Lennart Poettering wrote:


On Tue, 09.10.12 20:20, Panu Matilainen (pmatilai@laiskiainen.org) wrote:


It's 28M of my 434M F18 container image. i.e. 6.5% of the disk space.

/usr/lib/locale and /usr/share/locale are 148M of my 434M container
image, i.e. 35%. I wonder if we could do something about that. Is there
a way to tell yum not to install any translations, or just translations
for a certain set of languages?


Yup, another rpm macro configuration item (this is obviously the default):

# A colon separated list of desired locales to be installed;
# "all" means install all locale specific files.
#
%_install_langs all


Seth, any chance we can get this exposed on the yum cmdline somehow? I'd
really like to use this on the yum command line to install a container
with "--installroot", and having to edit the host rpmrc for that really
sucks...



It's not up to me. Talk to the packaging team.

-sv

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 06:18 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org