root in FC 10

Fred Silsbee fredsilsbee at yahoo.com
Sat Dec 6 07:45:10 UTC 2008 



--- On Sat, 12/6/08, Todd Zullinger <tmz at pobox.com> wrote:

> From: Todd Zullinger <tmz at pobox.com>
> Subject: Re: root in FC 10
> To: fedora-list at redhat.com
> Date: Saturday, December 6, 2008, 7:32 AM
> Tom Horsley wrote:
> > On Sat, 06 Dec 2008 16:10:36 +1030 Tim
> > <ignored_mailbox at yahoo.com.au> wrote:
> > 
> >> Compared to logging in graphically as root leaves
> you much more
> >> open to security flaws in the graphical systems
> doing much more
> >> than you were doing.
> > 
> > Ah yes, here it is again - GUIS are horribly flawed
> and ridden
> > through with security bugs.
> 
> The point is that you should always run with the least
> amount of
> privileges to perform a task¹.  Running a desktop session
> as the root
> user means that you are running far more code than you
> would if you
> ran as a normal user and only used root to execute the
> programs that
> need root privileges -- e.g. the system-config-* tools and
> such.
> 
> There is also effort being put into separating the GUI part
> of various
> system tools from the parts that require root privilege. 
> For example,
> this allows a normal user to run a date/time configuration
> tool and
> only uses root privilege to actually change the system
> time.
> 
> It does not mean that the GUI is entirely untrustworthy or
> unsuitable
> for use.  It just means that best practice is to run as
> little code
> with superuser privilege as is needed.
> 
> > If that is really the case, then no one should be
> logging into any
> > GUI at all for any reason since you'll be exposing
> your own data to
> > all those security kooties waiting to leap out of the
> GUIs on them.
> 
> A little hyperbole with your coffee? ;)
> 
> ¹
> http://en.wikipedia.org/wiki/Principle_of_least_privilege
> 
> -- 
> Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL:
> www.pobox.com/~tmz/pgp
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> The race for quality has no finish line- so technically,
> it's more
> like a death march. 
>     -- Demotivators (www.despair.com)
> 
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe:
> https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines:
> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

You don't see it do you! What you are proposing would take a massive intricate system to protect people from themselves. SELINUX is already a super mess duplicating controls already in place and adding to the CPU burden.

Extending your logic to society, we'd need a massive intricate system to protect people from themselves. Put an automatic temperature limit on hot water to protect people from scalding. Most controls in place in society are to prevent lawsuits.

Move to NYC and do your income tax! Ends up nobody understands the calculations involved. Those who think they do even argue among themselves.

It is the underlying attitude that caused people to move here from Europe.

Arogant people trying to run the lives of others. How about a 65 mph limit on auto speeds. There are 100000 more!

More information about the fedora-list mailing list