[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RC Security Flaw - mkdir & script create as 755, 644. SB &700, yes?



>>"Vince" == Vince  <eloki@dingoblue.net.au> writes:

 Vince> On Mon, Feb 25, 2002 at 10:45:49PM -0600, Manoj Srivastava wrote:
 >> Debian is known to be a rock solid OS, which is sane, easy to
 >> maintain, and does not dumb itself down in order to be useful to less
 >> knowledgeable users. 

 Vince> None of these goals (save perhaps the last) need be compromised by the
 Vince> suggested change.

	The last point is by no means the least. 

 >> Preventing people from doing things that are dangerous often
 >> also prevents them from doing things that are interesting.

 Vince> Just set your umask appropriately then.  And if it's not your Debian
 Vince> box, I guess the admin can set whatever umask he likes.

	So that is your solution. We have selected a default umask,
 based on reasonable security, and allowing for collaborative
 effort. If you do not agree with this, change your umask. 

	The default should not be set for idiots. 

 Vince> I should say here that I think the umask is fine the way it is right
 Vince> now.

	Cool, we agree then.

 >> No. There are distributions that are trying to specialize as a
 >> niche for that kind of a user -- and they are far better left to the
 >> task than Debian is.

 Vince> You seem to believe that Debian cannot become better suited for those
 Vince> kinds of users without dropping down an irreversible path to
 Vince> specialisation.  I disagree.

	I said no such thing. Indeed, all I said was that if you have
 to make changes to Debian that are annoying to seasoned veterans in
 order to appease people who don't want to make any effort to learn
 their tools, then I am opposed to such dumbing down.

	If you prevent users from doing stupid things, you also
 prevent them from doing interesting innovative things.

 >> You have to ask yourself what it is that motivates the general
 >> developer. While by no means speaking for all developers, I say that
 >> I personally spend the time that I do on Debian because I want to --
 >> and I spend it doing things that are useful and interesting to
 >> _me_. Letting a novice use Debian is interesting, perhaps, but not
 >> really enough of a motivator -- that's not going to keep me up at 4am
 >> hacking at Debian. 

 Vince> So don't, then :) Answernig bug emails probably isn't
 Vince> something you get too excited about either, but I don't see
 Vince> you disagreeing with the idea that Debian should have a bug
 Vince> tracking system.

	Best Free OS. Social contract. I agree with the social
 contract. I do not agree with targetting the largest market, or
 making things less convenient for people in order to hand hold
 newbies


 tluxt> Now, he probably won't know about umask.  My point is:
 >> 
 >> Should he not learn?

 Vince> Yes.  But that doesn't mean we can't have a discussion about
 Vince> which is the more appropriate default umask.

	Ok. But w4e already have had this dicussion -- several times
 now. Also discussions about group-per-user, and access control lists,
 and capability lists, etc. 

 tluxt> So, I think it wise that the packagers of the Debian system
 tluxt> should keep in mind such a person, and have as a goal that the
 tluxt> Debian system could, ultimately, be productively & easily used
 tluxt> by such a person.
 >> 
 >> Why? How does that scratch my itch?

 Vince> I don't think the purpose in people filing bugs or making
 Vince> suggestions is to scratch your itch, though.  If it does,
 Vince> great.

	Does to. Makes my packages better, and it makes software I use
 daily more robust, and makes me more productive. If you do not think
 so, perhaps you need to reexamine your interest in software.


 >> I reject that hypothesis. Personally, I would much rather that
 >> Debian continue to cater to people like me -- there are toehr
 >> distibutions that shall be a better fit for the average consumer.

 Vince> I think it's something that could be worked on where simple,
 Vince> convenient and unobstructive.

	Fine. As long as it is unobstusive. Making files created by
 root unreadable by my non-root-persona is not unobstisive.

 >> Choice is on of the greatest things that free software
 >> offers. Making Linux distributions clones of one other chasing the
 >> largest market share does the community a disservice in the end.

 Vince> This seems like an overly competitive view of the Linux distro
 Vince> field.

	Far from it. My view is that we are complementary -- we are
 differentiated, adapted into our own niche, with our own ecology.
 Removing the differences removes the adaptive advantages we may
 have. 

 Vince> We may make usability changes not to better "compete" with
 Vince> other distributions, but simply because we see improvements we
 Vince> want to merge/emulate in Debian.  In other words, we take what
 Vince> we think is good.  Not because our goal is to "chase" them,
 Vince> but because we think it's a worthy change.

	Usability improvemewnts are one thing. making rm not
 recursively remove dirs because some idiot may rm -rf / as root is
 not an improvment (though an extreme example).

	manoj

-- 
 Too cool to calypso, Too tough to tango, Too weird to watusi The Only
 Ones
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C



Reply to: