Bug 385159

Summary: some changes to yast2-security module
Product: [openSUSE] openSUSE 11.0 Reporter: Ludwig Nussel <lnussel>
Component: YaST2Assignee: Jiří Suchomel <jsuchome>
Status: RESOLVED FIXED QA Contact: Jiri Srain <jsrain>
Severity: Enhancement    
Priority: P5 - None    
Version: Beta 1   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2008-04-30 10:16:11 UTC 
I'd like to suggest to change some defaults in the yast2-security module:
- don't put current working directory in $PATH by default. It's ok to offer this but we shouldn't set it
- enable sysrq for "Home Workstation" or at least use "176" which is the package default
- use cracklib and obscure checks for password checking also for "Home Workstation" as ssh is still on by default
- run updatedb as nobody by default always

There are some settings that should not be modified at all such as password encryption or uid/gid ranges. Those have nothing to do with a more relaxed or more paranoid security policy.
Comment 1 Jiří Suchomel 2008-04-30 10:31:30 UTC 
(In reply to comment #0 from Ludwig Nussel)
> I'd like to suggest to change some defaults in the yast2-security module:

> - don't put current working directory in $PATH by default. It's ok to offer
> this but we shouldn't set it

You mean, set CWD_IN_ROOT_PATH, CWD_IN_USER_PATH to "no" also for "Home Workstation", right?

> - enable sysrq for "Home Workstation" or at least use "176" which is the
> package default

OK.

> - use cracklib and obscure checks for password checking also for "Home
> Workstation" as ssh is still on by default

Currently, obscure checks are off for all predefined settings. But I could do the change, of course.

> - run updatedb as nobody by default always

OK.

> There are some settings that should not be modified at all such as password
> encryption or uid/gid ranges. Those have nothing to do with a more relaxed or
> more paranoid security policy.

But we want to offer some way to modify them, so why should we drop it?
Comment 2 Ludwig Nussel 2008-04-30 10:53:46 UTC 
(In reply to comment #1 from Jiří­ Suchomel)
> You mean, set CWD_IN_ROOT_PATH, CWD_IN_USER_PATH to "no" also for "Home
> Workstation", right?

Yes.

> > There are some settings that should not be modified at all such as password
> > encryption or uid/gid ranges. Those have nothing to do with a more relaxed or
> > more paranoid security policy.
> 
> But we want to offer some way to modify them, so why should we drop it?

Fine to offer them (although the users module would be a better place). Switching the security setting shouldn't change them though. It doesn't make sense to change the password setting on a machine that was installed with md5 method to blowfish just because one wants to switch to "home workstation". Same applies to uid/gid ranges.
Comment 3 Jiří Suchomel 2008-04-30 11:03:30 UTC 
Ranges & enc. method: I think it is fine when the predefined levels have the same values (they do).
Comment 4 Jiří Suchomel 2008-04-30 11:59:38 UTC 
yast2-security-2.16.1