Root access removed

Nigel Wade nmw at ion.le.ac.uk
Tue May 11 11:58:28 UTC 2004 

Chadley Wilson wrote:
> On Tue, 2004-05-11 at 09:46, Chris Hewitt wrote:
> 
> 
>>With the Redhat/Fedora model the installation requires making an 
>>unprivilaged user and people tend to log in with that. For things 
>>requiring root access then yes the root password prompt comes up. 
>>Annoying maybe but at least the option is given.
>>
>>In the MS model, no such unprivilaged user has to be made during 
>>installation (I've not used XP so maybe that differs?), so people tend 
>>to log in as Administrator so already have the privilages. I manually 
>>make an unprivilaged user and log in as that but when I need 
>>Administrator privilages for something I simply get a message telling me 
>>I cannot do that. I have to log out then log in again as Administrator, 
>>do what I need, then log out and log in again as my unprivilaged user. 
>>Its not just the time in doing these log out/ins, but in setting up the 
>>programs that I had and getting back to the point where I was before.
>>
>>I think the Redhat/Fedora model is much more user friendly. You could 
>>suggest to your customers that they log in as root all the time. They 
>>would need to accept that making a mistake could have much more 
>>disasterous consequences, which is why non-root access is better.
>>
>>As to why there should be a performance difference, I do not know.
>>
> 
> Thanks for your input Chris,
> 
> But as for the administrative stuff I can understand the need for it to
> require root access and yes the prompts are provided in linux and yes it
> is good.
> 
> After much thought I think that I am able to explain my angle.
> Why do things like, kppp setup, disk free, hardware browser, printer
> manager, smb mounts, flash drives, digital cameras etc.. need root
> access in a home environment/office enviroment.
> 
> Take shares and removable media they all require root access and
> although there are work arounds, I find myself driving out to a client
> only to find that he needs to open a terminal, su to root to mount a
> flash drive, I check the config files and they are right, and I have
> done many. He can use his stick, it works, he saw it work, I saw it
> work, He unplugs it and later plugs it in again now he only has read
> only access and doesn't have permissions. Get in my car drive there, I
> see the flash is already mounted, and without un-mounting it I log into
> a terminl as root and touch a file in the flash dir and guess what
> suddenly the user has RW access again.Without unmounting? mmmm Thats
> without changing anything, it seems the system wants root to first
> access the drive before any other user.
> O.K so now he reboots his PC and can't get it mounted at all at all
> because he needs to be root to mount.
> 
> The point is: it is his memstick, it has his junk on it, he doesn't care
> who root is, its not roots memstick it is his. He plugged it in as a
> user not as root, but he still can't access it unless I am there to
> configure everything, I tried to chown user on the flash but then he
> cant access it on his other box because he is not logged in there. so it
> is a real pain in the you know what.
>  

I'm pretty sure I've not changed anything from the default here. I plug in 
the USB card reader and it's automatically recognized, kudzu creates an 
entry in /etc/fstab. I mount that entrypoint as a normal user and have full 
access to the files.

Or I can work in GUI mode. I can right-click on the desktop and under Disks 
I see an entry for "flash". If I select it it mounts the CF and shows it on 
the desktop. Similarly, right-click on the desktop "flash" icon and select 
"Unmount Volume" before removing the CF card.


> One very common problem is with smb mounts for some reason when "I"
> setup the access the user can mount the shares RW, he is given the
> correct permissions from the serving PC and it works (RW). Until you
> unmount and remount, for instance when the guy reboots his machine.
> First problem starts when you unmount if anything is open, showing or
> using the contents of the smb share while attempting to unmount, it
> won't ever unmount the share again, even if you close all apps running,
> at this point I just reboot, The same unmounting problem occurs in with
> the flash. 

It shouldn't unmount if anything is accessing any part of the filesystem. If 
it does it's very broken. If you remove the device anyway you have 
potentially screwed the filesystem on it - it's done for your protection so 
you *don't* remove the device before all writes are complete.

> 
> So to fix this guy I did a very bad :{ thing and feel bad about it to.
> But I have plenty of reason for it, My petrol bill is witness to that. 
> In the /etc/passwd file I removed the x from the 2nd column on both the
> user and root. now everything works. But its not the right way to do
> things.
> These sort of things should work like stiffy and CD-Rom mounts. The user
> logged in must be king of anything he plugs into his PC, like printers,
> scanners, digital cameras, web cam, etc...
> System files and and security should be for root. 

Printers and scanners are controlled by system files, that's why it requires 
root permission to modify them.

> I mean what does root care how the dude installs his printer, if he
> shares the damn thing to the whole world he will soon run out of paper
> and ink and soon learn his lesson. 

Because printers/scanners are hardware which are the responsibility of the 
system administrator, not the user. The system administrator happens to be 
root, so root is required to manage them. The same is true in Windows, 
except that Windows makes the default user an administrator, with all the 
resulting security implications regarding viruses, trojans etc. that that 
entails. Then there's the problem of users with administrator rights who 
play with settings and bugger them up because they don't know what they are 
doing, end up sharing their hard disk with the world and wonder why their 
files keep getting deleted and/or modified.

Setting up a printer/scanner is generally a one time operation so it isn't 
really arduous to do it as root.

> Also what do the file on a camera or memstick have to with root?

Root shouldn't be necessary.

> 
> Do you get my point? :'\

It's Windows thinking, unfortunately. Linux is a multi-user operating system 
which happens to run on a desktop. Windows is a single-user desktop 
operating system which tries to work in a multi-user environment and has 
lots of resulting security issues.

> 
> Note: for those following this thread, it is not a fight it is a
> civilised discussion please keep it that way. ;-}
>  
> 
> I just think that to many tools and apps require root access where the
> user should have full rights.
> 
> 


-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw at ion.le.ac.uk
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555

More information about the fedora-list mailing list