Re: Lindows.com - Friend or Foe? [LWN.net]

Re: Lindows.com - Friend or Foe?

Posted Jun 26, 2003 21:33 UTC (Thu) by Ross (guest, #4065)
Parent article: Lindows.com - Friend or Foe?

> Another important point to note is that there is nothing inherently
> wrong with LindowsOS.

I completely and utterly disagree.

> Some readers will argue that running the operating system as root by
> default is a major security risk ...

Yes, that would be my primary concern. One of the advantages and selling
points for Linux is the amount of design and care which has been put into
the security of the system. The lack of viruses and email trojans is very
attractive to companies and individuals who have been damaged by such
software in the past.

> ... but remember that the market segment the product is aimed at
> simply does not want to deal with any passwords.

That is wrong in at least two ways.

1) Windows desktops often use passwords. Most companies I know of use a
Domain structure. Home users using Windows XP deal with passwords and
I would hope their email and ISP accounts are password protected.

2) Because the distribution is aimed at inexperienced users and people
moving from Windows to Linux, proper security is more important at the
system level precisely because we can't depend on the use to make safe
choices ("hmm... it says in this message I should double click on the
icon so I don't see why I shouldn't do so").

> Yes, it would be more desirable to educate the population about the
> dangers of using the system as root.

Just don't tell the users about root. Have a daemon or well written suid
program so that the system has final say (unless the user knows about root)
about what is installed on the system. If it wants to be really paranoid,
it could require signed packages.

> In an ideal world, this would work.

It can work in the world we live in if we cared enough to do something
about it (actually if Lindows' creators cared enough).

> Unfortunately, a picture of a Debian developer joyously conversing
> about file access permissions with Aunt Tillie is an unlikely sight.

Hmm... who brought Aunt Tillie into this? Once again she is messing with
things that should be better left alone. Why does she need to recompile
her kernel? Why does she need to make /usr/bin writable to herself? She
doesn't.

> It goes without saying that LindowsOS does not prevent security
> conscious users from setting up user accounts and passwords.

Exactly the problem. As you yourself stated above, the target audience
won't know how to do this or even know that they can do this. These are
the people that should be given a safe environment by default. It should
be difficult for them to make it an unsafe environment.

Now don't get me wrong, using a different user id than root and different
than the owner of the important system files is important, but I don't
think it is the only consideration for security a system, but it is an
important one.

to post comments

Re: Lindows.com - Friend or Foe?

Posted Jul 1, 2003 13:38 UTC (Tue) by wookey (guest, #5501) [Link] (2 responses)

I'm very nervous about the root thing too. I'm actively looking for a
distro to give my mother, who's grasp of computing is 'tenuous' at best,
and Lindows sounds ideal except that I feel I can't, in good conscience,
give her a box with everything running as root.

So in fact, if there are technical intermediaries, it's not getting to
it's desired target audience due to the apparently complete disregard for
user security. There was a time when this wouldn't matter, but sadly it
is now long gone.

Re: Lindows.com - Friend or Foe?

Posted Jul 1, 2003 15:18 UTC (Tue) by ris (subscriber, #5) [Link] (1 responses)

Lindows does not force people to run as root. It encourages people to set up user names with passwords, it just doesn't insist and will allow people to bypass that part if they want to. Most novices will follow the instructions and set up user accounts. It is the people who think they are Windows power users who are most likely to skip this step and run into trouble.

I believe the first version of Lindows only ran as root, but that is not the case any more.

lindows does not force you to be root

Posted Sep 11, 2003 6:09 UTC (Thu) by gwx03 (guest, #14980) [Link]

I would like u ppl to get your facts right before commenting... lindows does allow you to add users and not run root. Though it runs root by default, now it adds the 'user manager' link onto the kde menu and also under a pop-up box which starts after it is installed, the 'advanced' button, it allows you to add users. Besides, advanced users who can use the terminal can by all means set up othe rusers and not use the root a/c.

plz get your facts right. Im no fan of lindows but i feel its a great and easy2 use OS though the ease can be irritating to me ( lindows is not the def. OS i use; i use redhat. ).... its quite insecure ... but not to the extent of windoze i guesss.

The only thing which bugs me is that lindows imposes a fee onto its open source software and contribute very less back..

the lindows software costs tens of dollars and THEN.... look at their click-n-run. four dollars a month to run a cache of software that can be available for free on the web ! (like opera, mozilla, gimp )!!!! is this some big, evil moneymaking scheme??