[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Root access removed



Chadley Wilson wrote:
On Tue, 2004-05-11 at 09:46, Chris Hewitt wrote:


With the Redhat/Fedora model the installation requires making an unprivilaged user and people tend to log in with that. For things requiring root access then yes the root password prompt comes up. Annoying maybe but at least the option is given.

In the MS model, no such unprivilaged user has to be made during installation (I've not used XP so maybe that differs?), so people tend to log in as Administrator so already have the privilages. I manually make an unprivilaged user and log in as that but when I need Administrator privilages for something I simply get a message telling me I cannot do that. I have to log out then log in again as Administrator, do what I need, then log out and log in again as my unprivilaged user. Its not just the time in doing these log out/ins, but in setting up the programs that I had and getting back to the point where I was before.

I think the Redhat/Fedora model is much more user friendly. You could suggest to your customers that they log in as root all the time. They would need to accept that making a mistake could have much more disasterous consequences, which is why non-root access is better.

As to why there should be a performance difference, I do not know.


Thanks for your input Chris,


But as for the administrative stuff I can understand the need for it to
require root access and yes the prompts are provided in linux and yes it
is good.

After much thought I think that I am able to explain my angle.
Why do things like, kppp setup, disk free, hardware browser, printer
manager, smb mounts, flash drives, digital cameras etc.. need root
access in a home environment/office enviroment.

Take shares and removable media they all require root access and
although there are work arounds, I find myself driving out to a client
only to find that he needs to open a terminal, su to root to mount a
flash drive, I check the config files and they are right, and I have
done many. He can use his stick, it works, he saw it work, I saw it
work, He unplugs it and later plugs it in again now he only has read
only access and doesn't have permissions. Get in my car drive there, I
see the flash is already mounted, and without un-mounting it I log into
a terminl as root and touch a file in the flash dir and guess what
suddenly the user has RW access again.Without unmounting? mmmm Thats
without changing anything, it seems the system wants root to first
access the drive before any other user.
O.K so now he reboots his PC and can't get it mounted at all at all
because he needs to be root to mount.

The point is: it is his memstick, it has his junk on it, he doesn't care
who root is, its not roots memstick it is his. He plugged it in as a
user not as root, but he still can't access it unless I am there to
configure everything, I tried to chown user on the flash but then he
cant access it on his other box because he is not logged in there. so it
is a real pain in the you know what.

I'm pretty sure I've not changed anything from the default here. I plug in the USB card reader and it's automatically recognized, kudzu creates an entry in /etc/fstab. I mount that entrypoint as a normal user and have full access to the files.


Or I can work in GUI mode. I can right-click on the desktop and under Disks I see an entry for "flash". If I select it it mounts the CF and shows it on the desktop. Similarly, right-click on the desktop "flash" icon and select "Unmount Volume" before removing the CF card.


One very common problem is with smb mounts for some reason when "I"
setup the access the user can mount the shares RW, he is given the
correct permissions from the serving PC and it works (RW). Until you
unmount and remount, for instance when the guy reboots his machine.
First problem starts when you unmount if anything is open, showing or
using the contents of the smb share while attempting to unmount, it
won't ever unmount the share again, even if you close all apps running,
at this point I just reboot, The same unmounting problem occurs in with
the flash.

It shouldn't unmount if anything is accessing any part of the filesystem. If it does it's very broken. If you remove the device anyway you have potentially screwed the filesystem on it - it's done for your protection so you *don't* remove the device before all writes are complete.



So to fix this guy I did a very bad :{ thing and feel bad about it to.
But I have plenty of reason for it, My petrol bill is witness to that. In the /etc/passwd file I removed the x from the 2nd column on both the
user and root. now everything works. But its not the right way to do
things.
These sort of things should work like stiffy and CD-Rom mounts. The user
logged in must be king of anything he plugs into his PC, like printers,
scanners, digital cameras, web cam, etc...
System files and and security should be for root.

Printers and scanners are controlled by system files, that's why it requires root permission to modify them.


I mean what does root care how the dude installs his printer, if he
shares the damn thing to the whole world he will soon run out of paper
and ink and soon learn his lesson.

Because printers/scanners are hardware which are the responsibility of the system administrator, not the user. The system administrator happens to be root, so root is required to manage them. The same is true in Windows, except that Windows makes the default user an administrator, with all the resulting security implications regarding viruses, trojans etc. that that entails. Then there's the problem of users with administrator rights who play with settings and bugger them up because they don't know what they are doing, end up sharing their hard disk with the world and wonder why their files keep getting deleted and/or modified.


Setting up a printer/scanner is generally a one time operation so it isn't really arduous to do it as root.

Also what do the file on a camera or memstick have to with root?

Root shouldn't be necessary.



Do you get my point? :'\

It's Windows thinking, unfortunately. Linux is a multi-user operating system which happens to run on a desktop. Windows is a single-user desktop operating system which tries to work in a multi-user environment and has lots of resulting security issues.



Note: for those following this thread, it is not a fight it is a
civilised discussion please keep it that way. ;-}


I just think that to many tools and apps require root access where the
user should have full rights.




--
Nigel Wade, System Administrator, Space Plasma Physics Group,
            University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw ion le ac uk
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]