GNU Guix launches [LWN.net]

GNU Guix launches

Posted Nov 27, 2012 18:21 UTC (Tue) by dlang (✭ supporter ✭, #313)
In reply to: GNU Guix launches by pspinler
Parent article: GNU Guix launches

> Even on (most) desktops, I can see not allowing normal office workers full root on the machines.

what's the practical difference on a desktop machine between giving the user of the machine root (or sudo style package manager access like Ubuntu does) and allowing them to install arbitrary packages as "non-root installations in arbitrary paths"?

It seems to me that the latter is much more complicated (where did this user install this package...)

(Log in to post comments)

GNU Guix launches

Posted Nov 28, 2012 1:12 UTC (Wed) by pspinler (subscriber, #2922) [Link]

what's the practical difference on a desktop machine between giving the user of the machine root (or sudo style package manager access like Ubuntu does) and allowing them to install arbitrary packages as "non-root installations in arbitrary paths"?

Lots. For instance:

No root means no messing about with contents of /etc, with selinux / apparmor policies, firewall, etc
Limiting filesystems where the packages can be installed
Making sure the places where it can be installed are mounted nosuid / nodev
Between all the above, it's notably harder to actually damage a system
User specific changes are isolated to a user filesystem, so the rest of the OS can be upgraded / replaced with (hopefully) minimal effect on user's customization
etc, etc

Anyway, point is, there's lots and lots of administrative advantages to limiting user customizations to limited areas and to stuff that requires no privs. Heck, I do this on my own workstation where I do have full privs.

-- Pat