[arch-general] netcfg wlan connection renewal

[Tom Gundersen]

On Thu, Sep 29, 2011 at 12:36 PM, Fons Adriaensen <fons at linuxaudio.org> wrote:
> On Thu, Sep 29, 2011 at 11:51:53AM +0200, Tom Gundersen wrote:
>
>> What you are seeing is udisks [0]. The policy that is implemented, if
>> I understand correctly, is that udisks allows a user who is physically
>> at the machine to mount the usb drive, but not remote users.
>>
>> This makes sense for two reasons:
>>
>> * A user who is physically present could just grab the usb stick and
>> insert it in a laptop where he/she has whatever permissions necessary
>> to do whatever they want, so no security is lost.
>
> This makes no sense.  I don't mind if they use their own sticks
> on their own laptop. I do if they use it one this particular
> machine.

This is surely a very uncommon scenario. It is easily solved by
tweaking the PK policies though (which should be expected if you want
to do something non-standard).

>> * Furthermore, you probably don't want have to ask the admin to set up
>> a new entry in fstab for every usb drive that is plugged into your
>> machine.
>
> Not necessary. Priveleges to do certain things are given
> per user or to groups, it's done when a user's account is
> set up and that's it. Sudo can handle this nicely. The fstab
> entries for my own usb disks are there mainly because they
> have dedicated mount points.
>
> The last thing I want as an admin is a 'parallel administration'
> such as polkit, in particular if it can grant priveleges just
> by adding some files to a directory. That's very convenient for
> package managers etc. but it surely does not enhance security.

Having too coarse grained security policies means that users will be
given access to more operations than they strictly speaking need. So,
yes, PK does increase security by limiting what users can do.

I'll stop my off-topic comments now ;-)

Cheers,

Tom