[OLPC Security] A modest proposal regarding root privileges and P_SF_RUN

[Benjamin M. Schwartz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Addendum: Enabling and Disabling P_SF_RUN

In order to use the root capabilities on modern POSIX computers, one
typically uses the commands "su" or "sudo".  These commands are only
available to members of a group "wheel".  For P_SF_RUN, we may add a pair
of analogous commands "pseudosu" and "pseudosudo" that switch to the user
sfrun.  Continuing the analogy, these commands are only available to
members of a group "almostwheel".  To gain P_SF_RUN permissions, the
system should simply add user olpc to group almostwheel.  To remove the
permission, the system should remove olpc from almostwheel.

A student "has P_SF_RUN enabled" iff they are able to run as user sfrun.
We may argue about whether P_SF_RUN should be enabled by default.  For
example, if I have P_SF_RUN enabled, and I lend my computer to a classmate
or brother for an hour, he may install a "back door" on my computer that
periodically sends him screenshots, or the contents of my datastore, or
allows him remote control of the machine.  An overbearing teacher could do
the same.  However, having P_SF_RUN enabled encourages tinkering and
experimentation.  Regardless of whether P_SF_RUN is enabled by default, it
may be enabled and disabled by the above mechanism.

If P_SF_RUN is not enabled by default, it might be enabled upon receipt of
a developer key.  In this case, there must be a script in the init
sequence that checks if there is a developer key, checks if P_SF_RUN is
desired (a student with a developer key might still disable P_SF_RUN in
some config file), and modifies the group settings accordingly.

- --Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH0duyUJT6e6HFtqQRAvS4AJ0caox1yynQUCwMnbIZOSWncaGaxwCgkW0x
vj1x6s86LmozJSgIo+QyS2M=
=3i5r
-----END PGP SIGNATURE-----