So, it's not Friday yet... On Tue, 2004-10-19 at 14:09 +0100, Jonathan Andrews wrote: > On Tue, 2004-10-19 at 02:12, Jeff Spaleta wrote: > > On Tue, 19 Oct 2004 01:44:26 +0100, Jonathan Andrews > > <jon@xxxxxxxxxxxxxxx> wrote: > > > Bite me ! > > > > Tell me where i get in line. > > > > > Users should have the power to choose, even if you personally think its > > > a poor choice. > > > > Choose what? Choose to use less secure defaults? Choose to recompile > > software using less secure settings? Choose to write their own > > software? > > > > Here let me reparse what seth said with my "by default" clause > > post-processor and see if you can stomach my version: > > > > Disable root graphical logins..... by default > > Period. > > make it so gdm or kdm or xdm just exit... by default > > hell, you could make the xinitrc script handle it...by default: > > if your uid is 0 then you throw up a hate-filled messaged and > > exit....by default > > EOD.... by default > > > > I'll grant you that there are some bizarro pieces of software out > > there, but if they require you to be logged into X as root, that > > software has to be considered at the very least buggy if not > > malicious. But I see nothing wrong with making the default settings > > for gdm revoke all root user attempts at logging in..by default. And I > > see no problem taking a more aggressive stance by hardcoding a well > > commented root login check into xinitrc that anyone who wants to break > > the no root login must find and comment out. As a local admin, you > > would still have the choice to reconfigure gdm or the xinitrc script > > to lift those defaults. > > > > > If you have such a security fetish then go play with firewall rules in > > > the corner and leave us users to decide how to operate our machines ! > > > > No, security is a community wide problem. As we learn every day, > > insecurely admined boxes on the public internet can cause problems for > > everyone and not just the person with the hacked box who doesn't take > > the time or have the patience to do things securely. Security, sir, is > > everyone's problem. And I'd much rather see buggy graphical software > > fixed so that it doesn't require root login, than to have someone > > inexperienced(who doesn't have the skill to even reconfigure a shell > > script like xinitrc to enable root login) think that loginning into as > > root is an acceptible workaround for common problems. > > I think you simply miss my point. > > Ok, so yet another Unix security person with the attitude that "mummy > knows best". > > Those who are learning will WANT to login as root to configure, its the > way they think it should work - they are going to look lost and confused > if you start shipping things with defaults that stop them. I think we all agree that regarding security the human factor is the weakest point in the equation. You need to get these points across: - that regular updating is a good thing, to achieve that you make updating easy for the user (yum, up2date, apt, ...) - that regularly working as an ordinary user instead of always as root is a good measure to make it harder for viruses, dialers, etc.; > As for pop ups with "Don't do this, its naughty" - BAHHH !!! DONT !!! On > the one hand we have security people trying to take out things people > need, on the other we have the GUI people trying to put in more > pointless crap. "Informing users about risks they're exposing themselves to is a bad thing" -- do you really want anyone to believe that? I guess something like: """ Logging in as root is not encouraged because: - ... viruses ... - ... dialers ... - ... yadda yadda yadda You can just run the configuration tools from your normal user login, or switch temporarily to root by ... (explain su, sudo, ...) """ won't be taken as patronizing. > Those who want better security will configure things for it, however > some people don't want to know. We basically have two choices: - Making the system "easy" while at the same time making compromises on security. This is what Windows does. - Making the system as secure as we can get it while still allowing the user to do the things he wants to do. That is what we try to achieve. You really want to vote for the first option? I guess you're in the minority then ;-). > I for example have a number of systems that use X servers to display > status information and video. At one point I thought I was going to have > to re-write the whole thing next time I upgraded because some security > minded person at Xfree decided that removing the "-ac" option from the X > server is "more secure" I haven't needed that option, so why should you? > Don't force users who want a media player in the living room, or just > want to have a play with linux to behave like administrators. A lot of > home users run with almost no security at all - worry about the network > cable not the physical machine...... As we're still lacking the make_this_machine_a_media_appliance-1.0-1.rpm package, we can safely (securely? ;-) assume that the person who wants to do that needs to fiddle a good deal anyway so editing gdm.conf or similar files isn't to onerous IMO. Nils -- Nils Philippsen / Red Hat / nphilipp@xxxxxxxxxx "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- B. Franklin, 1759 PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011
Attachment:
signature.asc
Description: This is a digitally signed message part