Re: Root privilege (SOLVED)
On Wed, 10 Jan 2007 17:52:18 -0500
cga2000 <cga2000@optonline.net> wrote:
> Mind you, and this is not directly related to the above, I sometimes
> have this bizarre feeling that much of this awkwardness we have to
> deal with -- in X certainly .. but from the linux console as well,
> albeit to a lesser extent -- eventually boils down to the *NIX model
> not having been designed from the ground up with security in mind.
Huh?
> I just cannot see why you should need something extreme such as root
> access to install/maintain software.
And let users install any malware they get across on the internet just
because it popped up a window with "install me"?
> Maybe that with some contortions
> this could be achieved within the *NIX security model by defining a
> privileged group and making sure software packaging takes this into
> account .. maybe not. Not for me to decide.
>
> :-)
Of course this can be done. It's even not so difficult to set-up using
sudo.
> > > How's stuff like that supposed to work in a "strict" proof of
> > > concept GUI environment with no *term available -- ie. all you
> > > are allowed is an icon on your desktop and possibly an entry in
> > > your gnome/kde menus?
> >
> > Root gets the "failsafe" option for X by default? xterm is
> > mandatory in an X install, IIRC.
>
> Please refer to what Roberto has to say about pointy-head activity in
> the enterprise. In the enterprise world there is no guarantee that
> some dude will not decide at some point that it's his best interest
> that *term's are the devil's work and have them autdafe'd at the
> earliest opportunity.
>
> But I was talking "proof of concept" .. in the world of the average
> to-the-gui-born user .. and thinking in terms of CD/DVD's that you
> just pop in .. say "yes" to the eula .. click the "next" button a few
> time .. done..
Because of that crowd we have all the problems with the bot-nets.
> Not likely _that_ crowd would like the idea of starting an xterm..
> typing in a command to launch the installer .. etc. etc.
That's why we have synaptic/kpackage/other GUI packet managers, and I'm
not speaking strictly about Debian here.
> As such I find the X gui model incomplete and although having gui
> installers assume you already have root authority prior to launching
> them may be a lesser evil than the proliferation of password-prompting
> code in the wrong places .. I'm rather convinced by Roberto's
> argumentation .. I find that it's just one more good reason why I'd
> rather stick to the non-gui interface.
Me too, but between two evils I will choose the lesser one. If we
require all GUI packet managers to be *started* by root rather then
requesting the root password (via su, gksu, ...) whenever they
*really* need root access than all users will start to login as
root/admin as they do on Windows. Heck, I do that on Windows as well
because I don't want to logout/login every time I need to mess with a
prog/driver/whatever.
That's one of the things I like about Linux. It encourages good security
practices by not making it too difficult to do privileged tasks from
within a user account.
Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)
Reply to: