[sane-devel] Remove user authorization support from net backend / saned frontend?

[Johannes Meixner]

Hello,

On 2022-04-08 09:06, David Ward wrote (excerpt):
> On 4/7/2022 5:00 AM, Johannes Meixner wrote:
>> 
>> In a trusted internal network there is no need to setup
>> strong security stuff for that. Just some simple thing
>> is sufficient that denies unwanted user access.
...
>  * The first issue is the term "trusted internal network".
>    Attacks do not have to come from the internet.
>    If I cannot put a scanner on the network without
>    needing a password to access it, then how much
>    do I really trust the users of the network?

The meaning of trusted internal network is that
one trusts all users in that network.

If there is an attacker within a trusted internal network
all is lost within that network.

Denying unwanted access of trusted users
is not meant as protection against attackers
because attackers are no trusted users.

To deny unwanted access of trusted users
a notification "this is not for you" would be
sufficient because trusted users obey the rules.

Think about simple door plates at unlocked doors
in a trusted environment that tell who is allowed
to enter and/or who should not enter.
The most common example are door plates at toilets.
In case of emergency one can even use a wrong toilet.

For saned access within a trusted environment
the existing weak user password functionality
can be OK to deny unwanted access of trusted users
in particular to deny accidental access by users.

If stronger security is needed (think about locked doors
within a trusted environment) the existing weak user
password functionality is insufficient to reliably
lock out unwanted saned access.


Kind Regards
Johannes Meixner
-- 
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5 - 90409 Nuernberg - Germany
(HRB 36809, AG Nuernberg) GF: Ivo Totev