[Discuss] can one safely login multiple times to the same user on a modern Linux desktop?

[invalid at pizzashack.org (Derek Martin)]

On Thu, Sep 06, 2012 at 02:40:47PM -0400, Rich Pieri wrote:
> On Thu, 6 Sep 2012 12:49:17 -0500
> Derek Martin <invalid at pizzashack.org> wrote:
> 
> > Clear and present?  Not in any computing environment I've ever managed
> > or worked in.  Most companies don't need this kind of security, and as
> > I said, the cost of this loss of productivity is in the millions per
> > annum for any given company of medium size, and substantial enough for
> > any company.
> 
> You asked for an example. I gave you one. That the example does not
> match your experience or expectation does not invalidate the example.

No, I asked for a *likely* example, where the cost was justified by
the threat.  You didn't provide one, and I offered simple counters for
the example you did provide, which DOES invalidate the example,
reducing it to an education issue or an administrative issue.  Your
example also assumed a complete lack of security awareness (weak
filesystem permissions)... a fact not in evidence, neither in my case
nor in the case of anyone posting in this thread, and one unlikely to
be true given this list's educated user base, but required for
validity of your example.  And even if you did have such users in your
environment, as a security-oriented system administrator, detecting
and correcting them is utterly simple using tools found on every
Unix-like system, and YOUR responsibility.  

I thus conclude that your premise -- "Walking away from a workstation
and 'forgetting' to log out is a bad practice" -- is completely false.
Again, this is not to say that logging out daily has no value
whatsoever in a security frame of reference; it is rather to say that
a requirement of mindlessly doing so is probably not worth the cost of
lost productivity in the typical case.  You have to know your
environment (and threat model) and adjust your policy appropriately.

The point is this:  Security admins often overlook that too much
security is as bad if not worse than too little, and security training
does not focus enough on this idea, in my experience and opinion -- or
at least it didn't when I had mine, which admittedly was quite some
time ago.  For your policy to be effective, your users need to trust
you, and they won't if they see you as a mindless zealot who only
knows how to get in their way.  If you make policy that makes educated
users think thusly, they're going to ignore you on general principle,
and complain about your policies to coworkers who are already looking
for a reason to ignore your cumbersome security measures, which only
reduces the overall security of your environment.  And worst of all,
in most environments, you're not going to have the teeth to back up
your policy, as management generally isn't about to fire productive
employees for forgetting to log out of their workstations, which only
tends to make you look even worse (to offending employees) for
complaining about it...  So you may as well design your policy to make
those discussions you'll inevitably have with your users actually
matter as much as possible.

On the other hand, if you do actually work at, say, a defense
contractor, managing the systems used to design the next super-secret
insta-kill-all-the-bad-guys weapon, then go ahead and steamroll your
users with your policy, and bring a big LART when they fail to comply.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.