On Wed, Jan 21, 2009 at 4:19 AM, Rahul Sundaram <sundaram@xxxxxxxxxxxxxxxxx> wrote: > What are the specific use cases, where non technical users are being > compelled to login as root (and other alternatives won't work)? The chief compelling one he mentions seems to be when NFS goes down and Linux can't find the /home partition. Or, to put it bluntly, when the Linux distribution isn't smart enough to protect "non-technical users" (an admittedly subjective term) from technical problems. Which is often. But your critique, Mr. Sundaram, doesn't seem to imply that people shouldn't login as root -- merely that you disagree with allowing them to open a root session in X. To be rhetorical, we must ask, why? After all, there's no such thing as "partial root power" -- you either have full root privileges in a terminal in a normal user X session, or full root privileges in a root X session. Here's the why: you feel that a root X session is too insecure -- which it may indeed be. So we believe that the "ideal" method is to not allow X root logins. But keep in mind, this is not actually an ideal. It's a kludge to go around the fact that X is designed rather horribly from a security standpoint. The "user session only" method allows you to work around that. But in the above case, user-session-X goes down. You say login at runlevel 3. But let's face it, many users comfortable with Linux still aren't at the "I roll my own shell-scripts" stage -- they still work in GUI mentalities, and odds are, even if they can roll their own shell-scripts, they won't understand how to fix administrative errors as well as if they use the actual GUI administrative tools. For most users, the GUI is critical for maintaining their system. So it is critical that the GUI be not allowed to fail. Hence, leave the root-session-X backdoor open, (perhaps with a catch -- for example, network functionality is disabled in root-session-X -- so that the only possible errors can come from user error, rather than security vulnerabilities. how about that?) or come up with another solution. "No GUI" for the sake of safety is a no-go solution for many people. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
