LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

GNU Guix launches

GNU Guix launches

Posted Nov 27, 2012 16:33 UTC (Tue) by pspinler (subscriber, #2922)
In reply to: GNU Guix launches by pboddie
Parent article: GNU Guix launches

We're also talking about two separate cases here: managing servers, and managing interactive machines (most probably desktops).

Managing servers you typically take a more conservative approach to. I'm more in the server than the desktop profession, but I can see the need to be more permissive with desktops.

With desktops I can see a use for a package manager that allows non-root installations in arbitrary paths, for instance to a network home directory that would then be available in any workstation you logged in at.

Even on (most) desktops, I can see not allowing normal office workers full root on the machines. However, there would likely need to be exceptions for certain classes of users -- basically people doing experimental stuff with their desktops. I'd perhaps setup an automated request mechanism for doling that out, so a) I'd have a record of who did it, and b) Id' have at least a chance to talk to the users and see what they're doing, and if they really actually need root, or could do with something else.

-- Pat

(Log in to post comments)

GNU Guix launches

Posted Nov 27, 2012 18:21 UTC (Tue) by dlang (✭ supporter ✭, #313) [Link]

> Even on (most) desktops, I can see not allowing normal office workers full root on the machines.

what's the practical difference on a desktop machine between giving the user of the machine root (or sudo style package manager access like Ubuntu does) and allowing them to install arbitrary packages as "non-root installations in arbitrary paths"?

It seems to me that the latter is much more complicated (where did this user install this package...)

GNU Guix launches

Posted Nov 28, 2012 1:12 UTC (Wed) by pspinler (subscriber, #2922) [Link]

what's the practical difference on a desktop machine between giving the user of the machine root (or sudo style package manager access like Ubuntu does) and allowing them to install arbitrary packages as "non-root installations in arbitrary paths"?

Lots. For instance:

  • No root means no messing about with contents of /etc, with selinux / apparmor policies, firewall, etc
  • Limiting filesystems where the packages can be installed
  • Making sure the places where it can be installed are mounted nosuid / nodev
  • Between all the above, it's notably harder to actually damage a system
  • User specific changes are isolated to a user filesystem, so the rest of the OS can be upgraded / replaced with (hopefully) minimal effect on user's customization
  • etc, etc

Anyway, point is, there's lots and lots of administrative advantages to limiting user customizations to limited areas and to stuff that requires no privs. Heck, I do this on my own workstation where I do have full privs.

-- Pat

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds