Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 889281 Details for
Bug 1090965
Typos and small errors in README file
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Diff with the proposed changes
README.diff (text/plain), 4.07 KB, created by
Stanislav Zidek
on 2014-04-24 13:29:32 UTC
(
hide
)
Description:
Diff with the proposed changes
Filename:
MIME Type:
Creator:
Stanislav Zidek
Created:
2014-04-24 13:29:32 UTC
Size:
4.07 KB
patch
obsolete
>--- README 2014-03-31 10:52:02.000000000 +0200 >+++ README.new 2014-04-24 11:03:43.127852187 +0200 >@@ -5,9 +5,9 @@ > Kiosk User account: > > This tool allows you to run a secure machine that users can walk up to at the >-library, bank, airport, coffee shop and just login and use the internet. >+library, bank, airport, coffee shop and just login and use the internet. > >-We need to be able to use this account without a password, and assign it to the least privleded X account xguest_u >+We need to be able to use this account without a password, and assign it to the least privleded X account xguest_u. > > # useradd -Z xguest_u xguest > >@@ -15,17 +15,17 @@ > > We could remove the password from the account and allow everyone to login > without a password, but we really want the account to only be accessable from >-the console when SELinux is in enforcing mode.From a security standpoint. we >-can only protect the account if SELinux is enabled and in enforcing mode. >-We needed a new pam module for this, Tomas Mraz created pam_selinux_permit. >+the console when SELinux is in enforcing mode. From a security standpoint, we >+can only protect the account if SELinux is enabled and in enforcing mode. >+We needed a new PAM module for this, Tomas Mraz created pam_selinux_permit. > >-xdm is setup to use pam_selinux_permit. This package adds xguest to the >+XDM is setup to use pam_selinux_permit. This package adds xguest to the > /etc/security/sepermit.conf file. > echo xguest >> /etc/security/sepermit.conf > >-We still have one other problem. Since one user after another can use this >+We still have one other problem. Since one user after another can use this > account, we want to prevent one user from looking at the account of a previous >-user or from leaving trojans that could attack the next user. So we configure >+user or from leaving trojans that could attack the next user. So we configure > pam_namespace to mount the home directory, /tmp and /var/tmp as tmpfs file > systems that will get destroyed on logout. > >@@ -35,21 +35,21 @@ > $HOME tmpfs tmpfs ~xguest' \ > >> /etc/security/namespace.conf > >-This says to generate three temporary filesystems mounted on /tmp, /var/tmp >+This says to generate three temporary filesystems mounted on /tmp, /var/tmp > and $HOME directory for only xguest any time he logs in, and destroys them when > the user logs out. > > If SELinux is in enforcing mode, you can log into this account just by clicking >-on the "X guest user" in the login screen. If you try to reach this accound >-by any means other then xdm you will not be able to login. sshd, rshd, >+on the "X guest user" in the login screen. If you try to reach this account >+by any means other then XDM, you will not be able to login. sshd, rshd, > telnetd will all fail. > >-If you put the machine into permissive mode or disable selinux, you will no >-longer be able to login as this user. This will not effect a currently logged >-in user however. So be very carefull when disableing SELinux. The logged in XGuest would still be controled by DAC, though. >+If you put the machine into permissive mode or disable selinux, you will no >+longer be able to login as this user. This will not effect a currently logged >+in user however. So be very carefull when disabling SELinux. The logged in XGuest would still be controled by DAC, though. > >-You can also use Fast User Switching to switch to this user. Just add the User >-Switcher applet to your tool bar and select xguest. You should switch to this >+You can also use Fast User Switching to switch to this user. Just add the User >+Switcher applet to your tool bar and select xguest. You should switch to this > account and be automagically logged in. > > There are four SELinux booleans that you can set for this account. >@@ -69,5 +69,5 @@ > > * allow_xguest_exec_content > >-This boolean determines whether the xguest account can execute files in its home directory or /tmp. This can prevent some forms of attack on users. >+This boolean determines whether the xguest account can execute files in its home directory or /tmp. This can prevent some forms of attack on users. >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=889281">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1090965
: 889281