Re: RC Security Flaw - mkdir & script create as 755, 644. SB &700, yes?

To: debian-devel@lists.debian.org
Subject: Re: RC Security Flaw - mkdir & script create as 755, 644. SB &700, yes?
From: Manoj Srivastava <srivasta@debian.org>
Date: Mon, 25 Feb 2002 22:45:49 -0600
Message-id: <[🔎] 87heo426ma.fsf@glaurung.green-gryphon.com>
In-reply-to: <[🔎] 20020225232241.80982.qmail@web21309.mail.yahoo.com> (<tluxt2@yahoo.com>'s message of "Mon, 25 Feb 2002 15:22:41 -0800 (PST)")
References: <[🔎] 20020225232241.80982.qmail@web21309.mail.yahoo.com>

>>"tluxt" ==   <tluxt2@yahoo.com> writes:


 tluxt> I think your comment is probably very true for a professional sysadmin.

 tluxt> But, my concern is for the future of Debian.  If Debian
 tluxt> continues to have increasing relevance to the potential pool
 tluxt> of FreeSW users, it will expand from its present base of users
 tluxt> (who are, in general, rather knowledgeable about sysadmin type
 tluxt> tasks) to users who are less knowledgeable.

	If this expansion cannot be made without dumbing down Debian,
 and making certain kinds of collaboration harder, I would much rather
 not go for this ``increasing relevance''.

	You are starting on the slippery slope of changing a winning
 formula in order to achieve greater market dominance, and not
 realizing you may well be destroying the brand name in the process. 

	Debian is known to be a rock solid OS, which is sane, easy to
 maintain, and does not dumb itself down in order to be useful to less
 knowledgeable users. 

	Preventing people from doing things that are dangerous often
 also prevents them from doing things that are interesting.

	This semi-rant is directed to the general tenor of your remarks.

 tluxt> This expansion to less knowledgeable users is a _good thing_.
 tluxt> It helps enable FreeSW to fulfill its potential as a benefit
 tluxt> to society.

	Perhaps.

 tluxt> So, let's consider a possible typical case: Someone with
 tluxt> enough knowledge to set up a Microsoft Windows computer to be
 tluxt> used at his home by his family.  Now, such person is, on
 tluxt> average, not a professional sysadmin.  His education and
 tluxt> skills may have nothing to do with computers.  But,
 tluxt> ultimately, for FreeSW & Debian to fulfill their potentials,
 tluxt> such a person ought to be able to set up a Debian system for
 tluxt> his family to use.

	No. There are distributions that are trying to specialize as a
 niche for that kind of a user -- and they are far better left to the
 task than Debian is.

	You have to ask yourself what it is that motivates the general
 developer. While by no means speaking for all developers, I say that
 I personally spend the time that I do on Debian because I want to --
 and I spend it doing things that are useful and interesting to
 _me_. Letting a novice use Debian is interesting, perhaps, but not
 really enough of a motivator -- that's not going to keep me up at 4am
 hacking at Debian. 

 tluxt> Now, he probably won't know about umask.  My point is:

	Should he not learn?

	

 tluxt> So, I think it wise that the packagers of the Debian system
 tluxt> should keep in mind such a person, and have as a goal that the
 tluxt> Debian system could, ultimately, be productively & easily used
 tluxt> by such a person.

	Why? How does that scratch my itch?

 tluxt> Now, I don't think that, with the upcomming release, Debian
 tluxt> will be a perfect fit with the user I have described.  (That
 tluxt> may take another one or more releases to achieve).  But, I
 tluxt> think that should be kept as a goal, and steps, such as I've
 tluxt> suggested, should be taken _now_ in order to begin to
 tluxt> transition to that mode of a system.

	I disagree that should be a goal. The best free Linux
 distribution, yes. The dumbest free Linux distribution, no.

	We have a well known target audience. If we can expand the
 user base without inconveniencing the target autdience, fine. But
 making group based collaboration harder (by sharing files belonging
 to a common group that I and my fellow workers belong to) is not
 that.

 tluxt> As for this upcomming release, Woody, I think it might be good
 tluxt> to try to have the security related default settings be
 tluxt> appropriate for someone who is an average computer technician
 tluxt> or hobbyist computer user.  He is not a professional sysadmin,
 tluxt> and does not have complete sysadmin knowledge, but has more
 tluxt> computer knowledge than the average head of household.

	I reject that hypothesis. Personally, I would much rather that
 Debian continue to cater to people like me -- there are toehr
 distibutions that shall be a better fit for the average consumer.

	Choice is on of the greatest things that free software
 offers. Making Linux distributions clones of one other chasing the
 largest market share does the community a disservice in the end.


	manoj
-- 
 Westheimer's Discovery: A couple of months in the laboratory can
 frequently save a couple of hours in the library.
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

Follow-Ups:
- Re: RC Security Flaw - mkdir & script create as 755, 644. SB &700, yes?
  - From: Vince <eloki@dingoblue.net.au>

References:
- Re: RC Security Flaw - mkdir & script create as 755, 644. SB &700, yes?
  - From: <tluxt2@yahoo.com>

Prev by Date: Bug#135814: ITP: liboop -- Event loop management library
Next by Date: Re: packages tasksel expects to find in woody, that arn't there
Previous by thread: Re: RC Security Flaw - mkdir & script create as 755, 644. SB &700, yes?
Next by thread: Re: RC Security Flaw - mkdir & script create as 755, 644. SB &700, yes?
Index(es):
- Date
- Thread