Re: CoC policy for package contents
Simon McVittie wrote:
> On Fri, 01 Aug 2025 at 11:23:41 +0200, Wouter Verhelst wrote:
> > Parental controls don't need a separate section. They need you to not
> > give root access to the child.
>
> No amount of parental-controls integration is going to prevent someone with
> root access from bypassing it, because the whole point of root access is that
> it's total control over the system, including the ability to add and remove
> parental-controls software.
Indeed. And you need root access to be able to apt install something, so---
But there's also another reason why a control on *installing* packages
is the wrong solution:
A system may have multiple users, some under age, some not.
For example, parent and child may share the same computer. Parent
wants to use some package, but doesn't want child to use it.
What we need is a mechanism to deny a user access to a package that
*is* installed.
In fact, that mechanism already exists: file access permissions.
A simple scheme could be:
- "not for children" packages install themselves under the
/usr/notforchildren path;
- the /usr/notforchildren directory belongs to the notforchildren group;
- permissions on that directory are set to 750.
Then a user who isn't a member of the notforchildren group can't
access those packages.
Using e.g. SELinux it may be possible to set up more fine-grained
and/or customizable rules.
No need to reinvent the wheel.
Gerardo
Reply to: