People's reaction to this is just stupid.
Posted Nov 19, 2009 12:24 UTC (Thu) by drag
Parent article: Fedora 12 lets unprivileged users install packages
This thing is starting to piss me off. People's kneejerk reactions are just
so hilariously misplaced here and on slashdot it's just irritating. Could
people possibly think about this for 12 whole seconds before posting?
Sure it would be desirable to have a 'admin' password authentication
mechanism that will use a password separate from root or the user account's
password to prevent 'dinner guests' type problem. But that is the only
And that is taken care of properly by having guest accounts. letting random
people log into your system as you will expose you to much larger problems
then just them installing packages. Plus people with physical access do not
need root exploits.. all they need is a bootable USB drive and your
Lets see what horrific mechanisms people currently use for installing and
1. Invoking gtksu or gtksudo to run a GUI (like synamptic) as root, but
inside a user's account
2. Invoking su or sudo from the command line to log into root or otherwise
having root privileged applications running under a user's account
3. User's Application sends request to privileged system daemon to perform
administrative action on their behalf.
4. Require the user to hit ctrl-alt-f2 and log in as root.
Currently the way you have to do things in, say, Ubuntu (gtksudo) or Debian
(terminal -> su) is ACTUALLY WORSE from a security perspective then Fedora
Why is this not a horrible idea? (you may ask)
---- Using gtksudo is about the worst thing you could possibly do. Your
handing massive amounts of controls over to your user account to do a
mundane everyday and _required_ action. Keeping your system up to date is
critical to keeping your system secure. Making it as easy and safe as
possible to do this is a huge WIN.
Ignoring the fact that typical desktop users are required to install/update
packages to keep their system secure may make it seem that this move is a
bad one, but that is not the reality of this situation.
---- Local users don't need local root exploit, they don't need your user
password, or your user's password or any password at all. Local users have
physical access to your machine and thus they can trivially override any
practical security mechanism you may have on your computer.
They can easily and quickly do things like boot up your system with a live
CD or USB. They can pull the cover off your PC and plug your hard drive
into a USB adapter. They can do all sorts of damage like that. Sure you can
perform many steps to increase the physical security of your
systems... but these steps are extra things that you have to do that are
not supported in any default configuration of any desktop Linux system that
has come before Fedora 12.
Anyways if your having guest users you should have them use guest accounts,
otherwise you have much bigger problems then them installing a http smtp
server that they can't activate.
---- Installing and updating software is a mundane and every day event in
the life of a typical desktop. If your in a corporate network this is
undesirable, but if your running a corporate network then your a fucking
moron if you do not have the ability to set network-wide controls for your
users.... which combined with a configuration engine and/or network
directory system is exactly what policykit is designed to give you.
This is a massive improvement over trying to establish fine grain controls
over sudo... once you give users some ability to run code as root under
their user account then breaking out is much easier. Using
policykit/packagekit/etc you can configure your system to allow users to
request privileged actions, but not have access to root account.
---- Requiring local user password for the packagekit mechanism is pure
security theater. Your already proven who you are by being able to log in
in the first place. It may feel safer, but it's not really going to protect
you at all in any real or fundamental manner.
Having a separate 'admin' password from user password or root password is
probably desirable in some situations..
to post comments)