FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 10-09-2012, 07:44 PM
Steve Clark
 
Default systemd requires HTTP server and serves QR codes

On 10/09/2012 02:17 PM, Lennart
Poettering wrote:



On Tue, 09.10.12 10:31, Matthew Miller (mattdm@fedoraproject.org) wrote:



On Tue, Oct 09, 2012 at 04:05:10PM +0200, Lennart Poettering wrote:
> On Tue, 09.10.12 09:49, Matthew Miller (mattdm@fedoraproject.org) wrote:



allowing regular users to do so. (Commonly currently accomplished by making
/var/log/messages owned and readable by the wheel group.)


The HTTP thingy is not really how admins should access the logs. They
should just use journalctl.



On a related but tangental note: I notice that journalctl allows access to
members of the admin group by default.



Well, I'd say this differently: we _restrict_ access to "adm", in
contrast to the previous logic where everybody was allowed to read
/var/log/messages and only root /var/log/secure.



When was previous - that access to /var/log/messages was allowed?

$ cat /etc/redhat-release

Fedora release 14 (Laughlin)

sclark66:~/Download

$ less /var/log/messages

/var/log/messages: Permission denied





In Fedora for the past few releases
we've followed the tradition of making "wheel" the admin group -- see
http://docs.fedoraproject.org/en-US/Fedora/17/html/Installation_Guide/sn-firstboot-systemuser.html
This is also the case in RHEL 6, so changes here have downstream
implications.



The way I see this is that "wheel" allows you to *do* privileged things,
but "adm" allows you to *see* privileged things.

Note that "adm" has been widely used for the log purpose on other Linux
distros, most notably Debian and its descendents. On Debian
/var/log/messages defaulted to being private to "adm", and we kinda
wanted to unify things here and though the Debian default is much nicer
than the Fedora default of world-readability of logs, from a security
PoV.



Could we make that a default on Fedora in addition to adm? (I assume this is
polkit but can't see it offhand -- hmmm... looks to be hard-coded in the
source?) I don't really have a strong opinion about whether adm should work
or not, but wheel should.



Well, we could of course add this as ACL, but I wonder if it wouldn't be
nicer to declare that "adm" is for seeing, and "wheel" for doing as I
suggested above.



Second, there's a traditional separation between /var/log/secure and
/var/log/messages. Crucially, the "secure" log may contain
accidentally-typed user passwords and other privacy-sensitive information.
How can we do something similar with the systemd journal and
journalctl?



As mentioned no system messages are user-readable by default in the
journal. We are more secure by default with the journal.



Ideally, the /var/log/messages data would be available to members of the
admin group without extra authentication, but seeing the potentially-privacy
sensitive /var/log/secure should require re-authentication. (As a sysadmin,
I should be able to safely look at message data with a user looking over my
shoulder, so I can help them without possibly exposing private information
about other users on the system.)



Well, honestly the old secure vs. messages split is kinda broken, simply
because old syslog didn't check the originator of messages and hence
unprivileged processes could get have their data spill into the presumed
"secure" logs. Splitting this of based on the "facility" field is fake
securety, and we don't do "fake security" anymore with the journal.

Lennart







--

Stephen*Clark

NetWolves

Director*of*Technology

Phone:*813-579-3200

Fax:*813-882-0209

Email:*steve.clark@netwolves.com

http://www.netwolves.com




--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 07:45 PM
Lennart Poettering
 
Default systemd requires HTTP server and serves QR codes

On Tue, 09.10.12 15:14, Seth Vidal (skvidal@fedoraproject.org) wrote:

> >Seth, any chance we can get this exposed on the yum cmdline somehow? I'd
> >really like to use this on the yum command line to install a container
> >with "--installroot", and having to edit the host rpmrc for that really
> >sucks...
>
> It's not up to me. Talk to the packaging team.

OK, I filed this:

https://bugzilla.redhat.com/show_bug.cgi?id=864633

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 08:36 PM
Chris Murphy
 
Default systemd requires HTTP server and serves QR codes

On Oct 9, 2012, at 8:31 AM, Matthew Miller wrote:

> (Apparently Apple does the same thing? Not that that's directly relevant,
> but we're not completely out in the weeds here.)

Admin users are place in group admin. Not wheel. Only root is in wheel.

Chris Murphy

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-10-2012, 12:19 AM
Adam Williamson
 
Default systemd requires HTTP server and serves QR codes

On Tue, 2012-10-09 at 10:06 -0400, Seth Vidal wrote:
>
>
> On Tue, 9 Oct 2012, Matthew Miller wrote:
>
> > On Tue, Oct 09, 2012 at 03:18:25PM +0200, Lennart Poettering wrote:
> >> To build such an image I'd really would have preferred not installing
> >> the docs. It appears rpm once had a feature for that where you could add
> >> excludedocs in rpmrc. This feature seems to have been removed. Why? Can
> >> we get that back? Or can I enable this for yum in some other way? Anyone
> >> has an idea?
> >
> > +1 to this, although note that we currently ship licenses as doc files, and
> > so that might need to go by packaging/legal.
> >
> > There's a yum plugin which sets RPM transaction flags (yum-plugin-tsflags),
> > and with that we could put "tsflags=nodocs" in the yum.conf. Not sure how to
> > get that up to spin-creation tools, and if we're going to count on it it
> > could probably use some polish and integration.
> >
> >> info
> >
> > Yeah that goes along with nodocs.
> >
> >
>
> --nodocs and tsflags=nodocs ends up with ugly ugly things when you want to
> do rpm -Va later.
>
> nodocs 'works' but not in a pretty way

IIRC, the big problem we had with nodocs at Mandriva (MDV strip(s)(ped)
docs from live images to save space) was that once you've installed a
package without docs there's no easy way to add the docs, because the
package is installed already, and there's no simple 'install all those
docs that got left out' command. You can hack up some kind of icky
duck-tape-and-string way of doing it, but unless things have changed
since then, there's no straightforward way. So you're stuck without the
docs for all the packages in the initial install.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-10-2012, 12:19 AM
"J. Randall Owens"
 
Default systemd requires HTTP server and serves QR codes

On 10/09/2012 11:34 AM, Lennart Poettering wrote:
> On Tue, 09.10.12 14:26, Simo Sorce (simo@redhat.com) wrote:
>
>> On Tue, 2012-10-09 at 20:17 +0200, Lennart Poettering wrote:
>>> Well, we could of course add this as ACL, but I wonder if it wouldn't
>>> be
>>> nicer to declare that "adm" is for seeing, and "wheel" for doing as I
>>> suggested above.
>>>
>> What's the point of 2 different groups ?
>>
>> We have filesystem permissions to determine what a user/group can do,
>> plus we have selinux on top to enforce in a different way some of these
>> policies.
>>
>> What does 2 different groups give you besides confusion ?
>
> Safety? Robustness?
>
> For example, by adding people to "adm" you can allow them to monitor
> machines, but when something happens and they want to do things they'd
> have to go through "sudo" or "su", thus adding a psychological barrier
> so that they don't break things... That means they can watch the machine
> just fine, but "rm -rf /" when doing that will have no effect. But they
> still can do priviliged things if they feel the need to, after auth.

Just on the naming, I'd rather steer clear of the actual concept, let me
get this straight: You want a group called "adm", presumably short for
"administrator", the point of which is that it can view system things,
but not actually *administer* them? Why on Earth call it "adm"?

--
J. Randall Owens | http://www.ghiapet.net/

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-10-2012, 12:44 AM
Adam Williamson
 
Default systemd requires HTTP server and serves QR codes

On Tue, 2012-10-09 at 17:34 +0000, "Jhann B. Gumundsson" wrote:
> On 10/09/2012 05:18 PM, Lennart Poettering wrote:
> > On Tue, 09.10.12 14:41, "Jhann B. Gumundsson" (johannbg@gmail.com) wrote:
> >
> >> "|CHANGES WITH 194: * If /etc/vconsole.conf is non-existent or empty
> >> we will no longer load any console font or key map at boot by
> >> default. Instead the kernel defaults will be left intact. This is
> >> definitely the right thing to do, as no configuration should mean no
> >> configuration, and hard-coding font names that are different on all
> >> archs is probably a bad idea. Also, the kernel default key map and
> >> font should be good enough for most cases anyway, and mostly
> >> identical to the userspace fonts/key maps we previously overloaded
> >> them with. If distributions want to continue to default to a
> >> non-kernel font or key map they should ship a default
> >> /etc/vconsole.conf with the appropriate contents."
> > Note that this change has next to zero effect on Fedora, since we pass
> > the font/map via the kernel cmdline anyway.
>
> I was referring to the new kernel parameter supposed to be used and that
> applications, admins and users a like should be using /etc/vconsole.conf
> instead of /etc/sysconfig/i18n
>
> Seriously Lennart how many users do you think are aware of that now when
> we have barely manage to go through localization bugs in F18 which may
> or my not be a direct result of this "next to zero effect on Fedora"
> that this is the way to go?

at the least, I think the anaconda team needs to have a clear idea of
exactly what they ought to be a) setting on clean install and b)
migrating on upgrades, as regards l10n/i18n configuration.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-10-2012, 12:50 AM
Chris Murphy
 
Default systemd requires HTTP server and serves QR codes

On Oct 9, 2012, at 6:19 PM, Adam Williamson wrote:
> there's no simple 'install all those
> docs that got left out' command.

That is icky. I would like a minimal install base with a docs add-on. Is this a possibility for newui anaconda in the F18 time frame?

Choose your environment Choose your add-ons

Minimal Install Documentation


Alternatively, include the man files in the Standard add-on?


Chris Murphy
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-10-2012, 12:55 AM
Josh Stone
 
Default systemd requires HTTP server and serves QR codes

On 10/09/2012 05:19 PM, J. Randall Owens wrote:
> Just on the naming, I'd rather steer clear of the actual concept, let me
> get this straight: You want a group called "adm", presumably short for
> "administrator", the point of which is that it can view system things,
> but not actually *administer* them? Why on Earth call it "adm"?

Clearly, "adm" is short for "admonitor"
[which actually makes an odd bit of sense]

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-10-2012, 12:57 AM
"J. Randall Owens"
 
Default systemd requires HTTP server and serves QR codes

On 10/09/2012 05:55 PM, Josh Stone wrote:
> On 10/09/2012 05:19 PM, J. Randall Owens wrote:
>> Just on the naming, I'd rather steer clear of the actual concept, let me
>> get this straight: You want a group called "adm", presumably short for
>> "administrator", the point of which is that it can view system things,
>> but not actually *administer* them? Why on Earth call it "adm"?
>
> Clearly, "adm" is short for "admonitor"
> [which actually makes an odd bit of sense]

OK, then, I'll consider myself admonished.

--
J. Randall Owens | http://www.ghiapet.net/

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-10-2012, 01:14 AM
Jesse Keating
 
Default systemd requires HTTP server and serves QR codes

On 10/09/2012 05:50 PM, Chris Murphy wrote:


On Oct 9, 2012, at 6:19 PM, Adam Williamson wrote:

there's no simple 'install all those docs that got left out'
command.


That is icky. I would like a minimal install base with a docs add-on.
Is this a possibility for newui anaconda in the F18 time frame?

Choose your environment Choose your add-ons

Minimal Install Documentation


Alternatively, include the man files in the Standard add-on?


Chris Murphy


Anaconda isn't going to do that unless there is rpm support to re-docify
yourself. To accomplish this right now, every package would have to
split out a -docs subpackage with all the docs in it. Anaconda /might/
do what you want in the future, by way of kickstart commands, but that's
not something we're going to expose in the UI.


--
Jesse Keating
Fedora -- Freedom is a feature!
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 07:02 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org