[Cooker] [THOUGHTS] Admin user + server wizard
As everybody know, be connected as root is evil/bad. But you may want to have a special user that can do some maintenance task ( using mdk tools ) but who don't have all of the power of root. Can this could be accomplish ? IMHO, yes. 1°/ during installation you specify the admin user,, or better you click Add Admin user and then type password. 2°/ sudo should be configure so that this user can launch WITHOUT root password all drakxtools, printer administration tools. If some drakxtools need to be launch only by root they should prompted a dialog box and ask for root password. If you can detect when a user is sudoed, it's just a matter of performing some checks, if this is impossible, then it should ask for this password every time. 3°/ the desktop of this user should be customized. Under KDE with superkaramba you have mandrakesecure theme so that he can see security advisories. Under gnome, he's got the gdesklet equivalent. mutray could be also installed. The same for evolution summary ( summary screen ). 4°/ Instead of Mandrake galaxy, the Admin user should see a wizard a little bit like the Windows 2000/2003 one which propose several task to do. This wizard should have blue color as this is Mandrake colors and be task oriented. 5°/ in order to avoid conflict with user custom group, this Admin user could belongs to adm group, or root group ... Advantages : - joe user connect with Admin account and manage the computer with admin account. As Admin user doesn't have all the right root have, possible damages will be less important : a rm -fr in / will have less consequences ;) - joe user only need to know root password for very specific task ( kernel recompilation, driver installation, software compilation ). - we have an account we can customize and where we will be able to show all needed informations ( security advisories, logs, security email, ... ) --- ya du split dans l'air :) le split c'est la faute aux newbies c koi newbies #mandrakefr
Re: [Cooker] [THOUGHTS] Admin user + server wizard
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 FACORAT Fabrice wrote: As everybody know, be connected as root is evil/bad. But you may want to have a special user that can do some maintenance task ( using mdk tools ) but who don't have all of the power of root. Can this could be accomplish ? IMHO, yes. 1°/ during installation you specify the admin user,, or better you click Add Admin user and then type password. If you have installed in high security mode (msec 4 even IIRC), you will notice the opportunity to check some group memberships (at least 'wheel', maybe a few more). I forget if 'adm' is there, but we are abusing this group in samba (members of 'adm' can upload printer drivers by default, and join Windows machines to the samba domain - essentially the same as the Domain Admins group in Widnows), so maybe it should be used here? 2°/ sudo should be configure so that this user can launch WITHOUT root password all drakxtools, printer administration tools. Agreed, plus some other things, like 'service', 'urpmi', 'urpmi.update', maybe 'postfix' so they can run 'postfix flush' etc: Cmnd_Alias URPMI_CMND = /usr/sbin/urpmi, /usr/sbin/urpmi.update Cmnd_Alias SERVICE_CMND = /sbin/service, /usr/sbin/postfix %admALL= NOPASSWD: URPMI_CMND %admALL= NOPASSWD: SERVICE_CMND $ sudo -l User bgmilne may run the following commands on this host: (root) NOPASSWD: /usr/sbin/urpmi, /usr/sbin/urpmi.update (root) NOPASSWD: /sbin/service, /usr/sbin/postfix I mentioned this a while back, but probably too late. Can we start collecting more useful sudo configs? Fabrice, do you have write access to the wiki? This is the kind of stuff I originall meant to put under The Big Picture: http://qa.mandrakesoft.com/twiki/bin/view/Main/TheBigPicture If some drakxtools need to be launch only by root they should prompted a dialog box and ask for root password. AFAIK there is no graphical launcher that supports sudo at present. If you can detect when a user is sudoed, it's just a matter of performing some checks, if this is impossible, then it should ask for this password every time. 3°/ the desktop of this user should be customized. Under KDE with superkaramba you have mandrakesecure theme so that he can see security advisories. Under gnome, he's got the gdesklet equivalent. mutray could be also installed. The same for evolution summary ( summary screen ). 4°/ Instead of Mandrake galaxy, the Admin user should see a wizard a little bit like the Windows 2000/2003 one which propose several task to do. This wizard should have blue color as this is Mandrake colors and be task oriented. Screenshot: http://ranger.dnsalias.com/mandrake/screenshots/win2k3/manage_server.png While we're here, this is a nice idea: http://ranger.dnsalias.com/mandrake/screenshots/win2k3/shut_down_dialog.png 5°/ in order to avoid conflict with user custom group, this Admin user could belongs to adm group, or root group ... Agreed, since we (samba) already abuse this group ... Advantages : - joe user connect with Admin account and manage the computer with admin account. As Admin user doesn't have all the right root have, possible damages will be less important : a rm -fr in / will have less consequences ;) - joe user only need to know root password for very specific task ( kernel recompilation, driver installation, software compilation ). Not kernel compilation, only kernel intallation ... software compilation should not need sudo (that's too complicated, and more risky IMHO), but in msec 4 you need to be in ctools group anyway. - we have an account we can customize and where we will be able to show all needed informations ( security advisories, logs, security email, ... ) IMHO, at least the rights (ie sudo) need to be per group. And imagine if we could store sudo config in LDAP? (well, at least it allows configuration for multiple hosts in one config file ... but it could be better). Regards, Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/fZwmrJK6UGDSBKcRAuQbAJ0ZG2UVxlpAyqCZMf3/8NEeiVyPHwCeIXPq u5i1YV240sNimA0A0Rtwblo= =vA3d -END PGP SIGNATURE- * Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. *
Re: [Cooker] [THOUGHTS] Admin user + server wizard
Le Vendredi 03 Octobre 2003 17:56, Buchan Milne a écrit : Screenshot: http://ranger.dnsalias.com/mandrake/screenshots/win2k3/manage_server.png While we're here, this is a nice idea: http://ranger.dnsalias.com/mandrake/screenshots/win2k3/shut_down_dialog.png I disagree: * For the shutdown: - The installed mdk is used as server: No need to reboot. Rebooting is for windows, not for linux. I don't see apart kernel issues, the need of a reboot. windows need this because they have a graphical desktop in all situation even for servers. - The installed mdk is used as desktop. The user reboot because his job is ended at office, it doesn't need all these solutions. If at home, same issue. * For the manager server: this window is named drakconf. 5°/ in order to avoid conflict with user custom group, this Admin user could belongs to adm group, or root group ... Agreed, since we (samba) already abuse this group ... Agree too. I think adm should be used for installing rpm files too. (perhaps directorys writable by adm ? I remember, some years ago, where a *lot* of programs were belonging to wheel or adm.
Re: [Cooker] [THOUGHTS] Admin user + server wizard
Le ven 03/10/2003 à 15:56, Buchan Milne a écrit : FACORAT Fabrice wrote: 2°/ sudo should be configure so that this user can launch WITHOUT root password all drakxtools, printer administration tools. Agreed, plus some other things, like 'service', 'urpmi', 'urpmi.update', maybe 'postfix' so they can run 'postfix flush' etc: Cmnd_Alias URPMI_CMND = /usr/sbin/urpmi, /usr/sbin/urpmi.update Cmnd_Alias SERVICE_CMND = /sbin/service, /usr/sbin/postfix %admALL= NOPASSWD: URPMI_CMND %admALL= NOPASSWD: SERVICE_CMND $ sudo -l User bgmilne may run the following commands on this host: (root) NOPASSWD: /usr/sbin/urpmi, /usr/sbin/urpmi.update (root) NOPASSWD: /sbin/service, /usr/sbin/postfix I mentioned this a while back, but probably too late. Can we start collecting more useful sudo configs? Cmnd_Alias PRINTING = /usr/bin/enable, /usr/bin/disable Cmnd_Alias PACKAGES = /usr/bin/rpm Cmnd_Alias DRAKXTOOLS = all drakxtools progs Cmnd_Alias ADSL = /usr/sbin/adsl-connect, /usr/sbin/adsl-setup, /usr/sbin/adsl-start, /usr/sbin/adsl-status, /usr/sbin/adsl-stop Cmnd_Alias SAGEM = /usr/sbin/showstat, /usr/sbin/startadsl, /usr/sbin/startmire, /usr/sbin/stopadsl %admALL= NOPASSWD: PRINTING %admALL= NOPASSWD: DRAKXTOOLS %admALL= NOPASSWD: ADSL %admALL= NOPASSWD: SAGEM Fabrice, do you have write access to the wiki? This is the kind of stuff I originall meant to put under The Big Picture: http://qa.mandrakesoft.com/twiki/bin/view/Main/TheBigPicture no I don't :( Screenshot: http://ranger.dnsalias.com/mandrake/screenshots/win2k3/manage_server.png I never saw win2k3 before. Pretty indeed. With tools like superkaramba/gdesklet we can have some good monitoring opportunities ( /var/log/messages in desktop background, can use root-tail also + security advisories ) While we're here, this is a nice idea: http://ranger.dnsalias.com/mandrake/screenshots/win2k3/shut_down_dialog.png mouaip ... what about a diary :D Advantages : - joe user connect with Admin account and manage the computer with admin account. As Admin user doesn't have all the right root have, possible damages will be less important : a rm -fr in / will have less consequences ;) - joe user only need to know root password for very specific task ( kernel recompilation, driver installation, software compilation ). Not kernel compilation, only kernel intallation ... software compilation should not need sudo (that's too complicated, and more risky IMHO), but in msec 4 you need to be in ctools group anyway. You misunderstood me. joe user will need root password and be logged as root ( so no sudo, but su instead ) if he wants to do compilation ( kernel, software ) - we have an account we can customize and where we will be able to show all needed informations ( security advisories, logs, security email, ... ) IMHO, at least the rights (ie sudo) need to be per group. Several Admin ? so need when you have mail/security warning the mail need to be send to all people belonging to this group. And imagine if we could store sudo config in LDAP? This is for Server config. For desktop config it's too much. having maximum things in one place is a good thing and as you can do backup server it's not a too high risk. (well, at least it allows configuration for multiple hosts in one config file ... but it could be better). Let's stay simple. For this there will have no group.
Re: [Cooker] [THOUGHTS] Admin user + server wizard
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 BLINDAUER Emmanuel wrote: Le Vendredi 03 Octobre 2003 17:56, Buchan Milne a écrit : Screenshot: http://ranger.dnsalias.com/mandrake/screenshots/win2k3/manage_server.png While we're here, this is a nice idea: http://ranger.dnsalias.com/mandrake/screenshots/win2k3/shut_down_dialog.png I disagree: * For the shutdown: - The installed mdk is used as server: No need to reboot. Rebooting is for windows, not for linux. I don't see apart kernel issues, the need of a reboot. windows need this because they have a graphical desktop in all situation even for servers. But, that is precisely the kid of thing you want to know (new kernel). What about adding new SCSI controller? Or replacing faulty network card? And, it doesn't need to be graphical. A call to 'halt' could prompt for a reason BTW, some admins I know can only use a linux server with KDE running all the time ... and the servers are still stable as a rock (I get a call any time there is a problem - only once for a dead power supply that took a hard disk with it). - The installed mdk is used as desktop. The user reboot because his job is ended at office, it doesn't need all these solutions. If at home, same issue. * For the manager server: this window is named drakconf. 5°/ in order to avoid conflict with user custom group, this Admin user could belongs to adm group, or root group ... Agreed, since we (samba) already abuse this group ... Agree too. I think adm should be used for installing rpm files too. (perhaps directorys writable by adm ? I remember, some years ago, where a *lot* of programs were belonging to wheel or adm. Did you see my sudo config for urpmi in the previous mail? A few years ago, urpmi was setuid, but that was worse ... Regards, Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/faj0rJK6UGDSBKcRAvDZAJ9ypYj6ZbxwPnC6diWk0J5E8Qp9WgCgostc uUXGd5aKOmUigUZmYDNPoL0= =aGlf -END PGP SIGNATURE- * Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. *
Re: [Cooker] [THOUGHTS] Admin user + server wizard
Le ven 03/10/2003 à 16:41, BLINDAUER Emmanuel a écrit : - The installed mdk is used as server: No need to reboot. Rebooting is for windows, not for linux. I don't see apart kernel issues, the need of a reboot. windows need this because they have a graphical desktop in all situation even for servers. you're trolling/kidding ? right ? - The installed mdk is used as desktop. The user reboot because his job is ended at office, it doesn't need all these solutions. If at home, same issue. we are talking about server, and this is only or admin users. ut i must admin it's useless ... * For the manager server: this window is named drakconf we need a task oriented manager with large explanation. drakconf will still be there and may even become better ( see Net mandrake Control center )
Re: [Cooker] [THOUGHTS] Admin user + server wizard
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 FACORAT Fabrice wrote: Le ven 03/10/2003 à 15:56, Buchan Milne a écrit : FACORAT Fabrice wrote: 2°/ sudo should be configure so that this user can launch WITHOUT root password all drakxtools, printer administration tools. Agreed, plus some other things, like 'service', 'urpmi', 'urpmi.update', maybe 'postfix' so they can run 'postfix flush' etc: Cmnd_Alias URPMI_CMND = /usr/sbin/urpmi, /usr/sbin/urpmi.update Cmnd_Alias SERVICE_CMND = /sbin/service, /usr/sbin/postfix %admALL= NOPASSWD: URPMI_CMND %admALL= NOPASSWD: SERVICE_CMND $ sudo -l User bgmilne may run the following commands on this host: (root) NOPASSWD: /usr/sbin/urpmi, /usr/sbin/urpmi.update (root) NOPASSWD: /sbin/service, /usr/sbin/postfix I mentioned this a while back, but probably too late. Can we start collecting more useful sudo configs? Cmnd_Alias PRINTING = /usr/bin/enable, /usr/bin/disable Agree Cmnd_Alias PACKAGES = /usr/bin/rpm Disagree. If you can't install it with urpmi, then you need to be *real* root to install it IMHO. Or, it should at least not be NOPASSWD (so there is more auditing possibilities). Everything else is already controlled in msec 4 by the rpm group. Well, this is minor complaints anyway, I will collect this stuff on the wiki over the weekend (but it is still useful discussing which ones are useful dedfaults ... and suggesting more ...) Cmnd_Alias DRAKXTOOLS = all drakxtools progs Cmnd_Alias ADSL = /usr/sbin/adsl-connect, /usr/sbin/adsl-setup, /usr/sbin/adsl-start, /usr/sbin/adsl-status, /usr/sbin/adsl-stop Cmnd_Alias SAGEM = /usr/sbin/showstat, /usr/sbin/startadsl, /usr/sbin/startmire, /usr/sbin/stopadsl I'll believe you ... %admALL= NOPASSWD: PRINTING %admALL= NOPASSWD: DRAKXTOOLS %admALL= NOPASSWD: ADSL %admALL= NOPASSWD: SAGEM Fabrice, do you have write access to the wiki? This is the kind of stuff I originall meant to put under The Big Picture: http://qa.mandrakesoft.com/twiki/bin/view/Main/TheBigPicture no I don't :( Screenshot: http://ranger.dnsalias.com/mandrake/screenshots/win2k3/manage_server.png I never saw win2k3 before. Pretty indeed. With tools like superkaramba/gdesklet we can have some good monitoring opportunities ( /var/log/messages in desktop background, can use root-tail also + security advisories ) While we're here, this is a nice idea: http://ranger.dnsalias.com/mandrake/screenshots/win2k3/shut_down_dialog.png mouaip ... what about a diary :D I was thinking more integrated revision control on configuration files actually ... Advantages : - joe user connect with Admin account and manage the computer with admin account. As Admin user doesn't have all the right root have, possible damages will be less important : a rm -fr in / will have less consequences ;) - joe user only need to know root password for very specific task ( kernel recompilation, driver installation, software compilation ). Not kernel compilation, only kernel intallation ... software compilation should not need sudo (that's too complicated, and more risky IMHO), but in msec 4 you need to be in ctools group anyway. You misunderstood me. joe user will need root password and be logged as root ( so no sudo, but su instead ) if he wants to do compilation ( kernel, software ) Joe user should not compile any software as root. Ever. It's too easy to trojan a Makefile. IMHO, neither should 'make install' be run as root (same reason). Instead, software should be installed by packages. - we have an account we can customize and where we will be able to show all needed informations ( security advisories, logs, security email, ... ) IMHO, at least the rights (ie sudo) need to be per group. Several Admin ? so need when you have mail/security warning the mail need to be send to all people belonging to this group. Or are you saying a company with 15000 employees and 200+ servers needs only one admin? And imagine if we could store sudo config in LDAP? This is for Server config. For desktop config it's too much. Why? Surely you want some users to have some rights on a machine, and other to have none? Maybe you want some users to be able to run something like mtink (to check ink levels on a printer), but you aren't willing to trust everyone else not to find an exploit in it? having maximum things in one place is a good thing and as you can do backup server it's not a too high risk. (well, at least it allows configuration for multiple hosts in one config file ... but it could be better). Let's stay simple. For this there will have no group. It might be an idea to make it configurable. But, restricting it to per user makes the difference between scaling up to a large company, and scaling up to a real enterprise ... and large companies always like to plan for becoming an enterprise, so like to buy scalable products ... Regards, Buchan - -- |--Another happy Mandrake Club
Re: [Cooker] [THOUGHTS] Admin user + server wizard
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
BLINDAUER Emmanuel wrote:
Le Vendredi 03 Octobre 2003 17:56, Buchan Milne a écrit :
* For the manager server: this window is named drakconf.
Where is the DNS administration? Where is the DHCP administration (not a
wizard, a real tool that can manage leases and options)? Where is the
LDAP server configuration? Where can I set samba as a domain controller?
Where do I configure the mail server? Add mailboxes (for Cyrus)? Where
is the database administration tool? Where do I add Group Policies?
Drakconf is ok for administering a server for a really small network.
But it is totally insufficient for anything 25 client machines IMHO.
Actually, it's closer to Computer Management for Win2k Pro, but we're
talking about the equivalent of Administrative tools for Windows
200{0,3} Server.
We are a long way behind ...
Regards,
Buchan
- --
|--Another happy Mandrake Club member--|
Buchan MilneMechanical Engineer, Network Manager
Cellphone * Work+27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering http://www.cae.co.za
GPG Key http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/fazArJK6UGDSBKcRAkjSAJ0fejf+6a7N3bFW8HoEQvC97gnh7ACdEAM2
2bbDhBToYbRz6Cgp0pVdqHg=
=XVxd
-END PGP SIGNATURE-
*
Please click on http://www.cae.co.za/disclaimer.htm to read our
e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy.
*
Re: [Cooker] [THOUGHTS] Admin user + server wizard
Le ven 03/10/2003 à 17:00, Buchan Milne a écrit : -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 FACORAT Fabrice wrote: Several Admin ? so need when you have mail/security warning the mail need to be send to all people belonging to this group. Or are you saying a company with 15000 employees and 200+ servers needs only one admin? I was not seeing so big ;) And imagine if we could store sudo config in LDAP? This is for Server config. For desktop config it's too much. Why? Surely you want some users to have some rights on a machine, and other to have none? Maybe you want some users to be able to run something like mtink (to check ink levels on a printer), but you aren't willing to trust everyone else not to find an exploit in it? I was talking about LDAP. sudo config for desktop - ok sudo config with config in LDAP for desktop - no sudo config with config in LDAP for server/workstation - yes It might be an idea to make it configurable. But, restricting it to per user makes the difference between scaling up to a large company, and scaling up to a real enterprise ... and large companies always like to plan for becoming an enterprise, so like to buy scalable products ... But at the beginning they are little, so we should begin little and then grow in complexity/features --- Pourquoi la Siberie a des tempetes de neige et l'Angleterre Margaret Taetcher ? . . Parce que la Siberie a choisi la premiere ! -- Benny Hill
