Root access removed

[Jeff Vian]

Lamar Owen wrote:

>On Tuesday 11 May 2004 09:32, Jeff Vian wrote:
>  
>
>>/etc/fstab controls the access when mounting.   Configure it there to
>>allow the user to mount/unmount and access it.
>>    
>>
>
>Ok, so I configure the memstick today, which is /dev/sda1.  I have the proper 
>options in fstab to allow the user to do that.  Now, the user plugs in a  
>camera (that is managed by usb-storage), it gets /dev/sda, and then he plugs 
>in the memstick (which gets /dev/sdb).  Now what?  Tomorrow he adds a USB 
>hard drive (already partitioned and formatted, BTW).  Now what?
>
>With KDE you can see devices and such on the desktop if you would like, but 
>the permissions have to be set up first.
>  
>
It has been discussed on this list how to ensure one device always gets 
the same assigned name when plugged into usb. That will handle the task 
of preventing other devices from stepping on the memstick (among others).
However, that does not address the need to do the same for every 
different device users use and manage it automatically for them.

>  
>
>>A little bit if time spent on education is much better in the long run
>>than just removing obstacles.  Ever hear the one about "Give a man a
>>fish and he eats for a day.  Teach a man to fish and he eats forever.")?
>> It applies to using computers as well.
>>    
>>
>
>Yeah, but sometimes when somebody asks 'What time is it?' he doesn't want to 
>know how to build a watch.  When I go into McDonald's and ask for a Big Mac I 
>don't want a lesson in butchery, USDA inspection, frying temperature, 
>condiment formulation, hydroponic growing of salad greens and vegetables, 
>proper rennet mixture for curdling, oleo versus diary mixture to meet USDA 
>standards for naming a product 'cheese' versus 'cheese food', vinegar 
>solution percentages for proper acidity to react with cucumber slices, 
>growing techniques for oriental seed spices, and appropriate yeast cultures 
>for particular strains of wheat for desired bubble sizes.  I just want to eat 
>a Big Mac.  This also applies to computers: sometimes people just want to get 
>their work done.  This is not a wrong thing to want.
>  
>
My point was to suggest that he should learn the value of security and 
not be totally  exposed by using none. Also, a little time spent on 
teaching him how/why he should not have root access as a standard 
practice will greatly simplify your later maintenance tasks.

>  
>
>>I understand your point, and as long as the user understands the risks
>>of being root user and the ease of causing severe damage to his system
>>with a simple typo when he is logged in as root, it is, after all, /his/
>>system.
>>    
>>
>
>This is again where a well-configured SELinux setup will solve many problems.  
>The hard part is getting it well-configured.  Under SELinux carried out to 
>the max there _is_ no root.  This is also a good thing.  SELinux and similar 
>technologies should be thought of as ways to improve both security of the 
>system and convenience to the user.  With proper application of this 
>technolgy much finer-grained balancing of security versus convenience may be 
>done.  But the tools to do this must be easily configured, and the defaults 
>must be very carefully chosen.
>
I agree completely, and this appears to be the direction to go if we 
want to have linux make any major inroads in the home user market.


I am waiting for the release of FC2 so I can start testing SELinux 
features in great depth.