[Container-tools] Security vs. Usability: atomic commands and permissions
Josh Berkus
jberkus at redhat.com
Thu Mar 3 19:53:17 UTC 2016
On 03/02/2016 05:34 PM, Josh Berkus wrote:
> On 03/02/2016 05:16 AM, Brian (bex) Exelbierd wrote:
>> On 02/27/2016 03:15 AM, Josh Berkus wrote:
>>> Folks,
>>>
>>> So I'm testing the new atomicapp tutorial documentation, and one thing
>>> I'm running across as a major usability issue for Linux desktop
>>> developers is that most of the commands require sudo, and create files
>>> which are owned and editable only by root. Which means that I can't
>>> easily pull, fork and modify Nulecule applications for my own use in my
>>> text editor of choice (Atom, for example).
>>
>> Could we clean this up by setting files we expect to be edited to being
>> owned by the user? I realize that creates a secondary security issue,
>> but it would ease the workflow. We aren't talking about a production
>> situation here ...
>>
>> Ideally it would be nice to see privileges only used where they are
>> really needed.
>
> What's the advantage to having any files owned by root on the user's own
> laptop, in their dev environment?
So, here's an example where how we do this is fail for developers.
In order to have answers.conf file, I should do "atomicapp genanswers",
which will create an answers.conf file from the Nulecule file. However,
the newly generated file is owned by "root", which means I can't use
Atom to edit it; I have to do "sudo vi" or "sudo emacs".
This is a major usability barrier.
--
--
Josh Berkus
Project Atomic
Red Hat OSAS
More information about the Container-tools
mailing list