Re: What I HATE about F11
Lennart Poettering mzerq...@0pointer.de wrote: [...] Gah. Allowing packages to pierce the firewall just makes the firewall redundant. Not entirely. I still think that the current firewall situation on Fedora is pretty much broken. It's a bit like SELinux: it's one of the first features most people disable. Strange... I've rarely had any reason to futz around with the firewall here. Neither with SELinux, at least for a long while now. Fedora is the only big distro that enables a firewall by default and thus creates a lot of trouble for many users. I think I mentioned that before, and I can only repeat it here: we should not ship a firewall enabled by default, like we currently do. If an application cannot be trusted then it should not be allowed to listen on a port by default in the first place. A firewall is an extra layer of security that simply hides the actual problem. True. But another layer of security /is/ a good idea, most of the time. -- Dr. Horst H. von Brand User #22616 counter.li.org Departamento de InformaticaFono: +56 32 2654431 Universidad Tecnica Federico Santa Maria +56 32 2654239 Casilla 110-V, Valparaiso, Chile 234 Fax: +56 32 2797513 -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, Jun 14, 2009 at 8:08 PM, Lennart Poetteringmzerq...@0pointer.de wrote: Gah. Allowing packages to pierce the firewall just makes the firewall redundant. True A firewall is an extra layer of security that simply hides the actual problem. Um!? Layered security is a _good thing_. *All* the network daemons in Fedora today have had bugs reported. I pretty much want to have that extra layer hiding actual problems :-) cheers, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Thu, 18 Jun 2009, Martin Langhoff wrote: On Sun, Jun 14, 2009 at 8:08 PM, Lennart Poetteringmzerq...@0pointer.de wrote: Gah. Allowing packages to pierce the firewall just makes the firewall redundant. True A firewall is an extra layer of security that simply hides the actual problem. Um!? Layered security is a _good thing_. *All* the network daemons in Fedora today have had bugs reported. I pretty much want to have that extra layer hiding actual problems :-) agreed. The point of the firewall is that some tools are not a good idea to expose to the whole world. Waiting for every daemon to be perfect or allowing them to run exposed to find bugs by having people's systems get cracked is not good or appropriate behavior for any distro. the default firewall needs to stay, imo. Having better tools for configuring it is a good idea, but disabling it is not a solution of any kind. -sv -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Mon, 15 Jun 2009 18:35:00 -0300 Martín Marqués martin.marq...@gmail.com wrote: 2009/6/15 Casey Dahlin cdah...@redhat.com: Maybe we should just make the command line more friendly so users don't mind reaching for it. I vote we add clippy. You're joking, right? It's *clippy* - of course it's a joke. :-) I'm sure the appropriate people within MS would admit to all sorts of perverse indiscretions well before admitting that Clippy was their idea. A command line clippy would result in sysadmins and power users rioting in the street. I see you're trying to write a shell scri^C; rm -f /usr/bin/clippy... (A true BOFH would have it run in his least-favourite luser's .profile, set immutable and located in luser's $HOME/bin. :-P) Serious note: hotwire / hotssh may not suit the experienced - personally it's not my thing - but it would be an excellent compromise for the newer user that needs a bit of help with the CLI. Michael. -- Michael Fleming mflem...@thatfleminggent.com - (EMail/XMPP/Jabber) WWW: http://www.thatfleminggent.com Fedora / Red Hat Packages: http://www.thatfleminggent.com/rpm-packages Twitter: http://twitter.com/thatfleminggent -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Le Lun 15 juin 2009 20:47, Casey Dahlin a écrit : On 06/14/2009 02:08 PM, Lennart Poettering wrote: Gah. Allowing packages to pierce the firewall just makes the firewall redundant. Not true. Allowing any listening program to poke a hole in the firewall would make it redundant. Packages are different. They're signed, vetted things corresponding to real functionality the user wants. The problem that does arise is: just because apache is installed doesn't mean its running. Really, init scripts should open the firewall ports they need when their service comes up (and I'll propose something for upstart 1.0 later today to make that make more sense.) Very often software makes it a pain to define the networks/interfaces to talk on (in the case of multiple Internet/Lan/VPN attachement) and right now it's safer to firewall the Internet-facing ports by default instead of hunting down all the apps that want to send there (and we grow new ones every month). Most packages listen/broadcast by default everywhere, they're *not* safe to allow poking the firewall as-is. The only system likely to work is for software to tell a trusted app I want access to X Y and only allow this app to manipulate firewall configuration after an admin vetted it (accept all, refuse all, or only part of it). And then if part of it is refused apps should reconfigure themselves to honour the admin decision. -- Nicolas Mailhot -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Lennart Poettering wrote: On Mon, 15.06.09 12:41, Thomas Woerner (twoer...@redhat.com) wrote: So, what should happen here? Should we leave the firewall enabled in these cases* by default and require admins to open them? If so, is there any way that we can make this easier in some Packagekit-oriented manner? If not, how should we define that packages indicate that they need ports opened? Should this be handled at install time or run time? Gah. Allowing packages to pierce the firewall just makes the firewall redundant. I still think that the current firewall situation on Fedora is pretty much broken. It's a bit like SELinux: it's one of the first features most people disable. SELinux and the firewall configuration are trying to make the system secure before something happens. If your system is compromised, then it is far too late to react. If you do not care about security, then disable it and have fun with the results. You know, there is one big difference between SELinux and the default Firewall. The former doesn't inhibit the use of an application (at least if the policy is written correctly) because it whitelists every operation an application should be able to use but nothing else. OTOH the default firewall actively breaks a lot of applications we ship by default. It most of the time it even does that silently, without reporting EPERM or suchlike back to the application. Really, if SELinux is set up properly nobody should notice it. However the default firewall breaks a lot of services, and is hence very much noticeable. I wonder why other systems are getting more restrictive and secure over time and for Linux people request the opposite direction. Oh my. I wonder why other systems work by default and Fedora doesn't. Fedora is the only big distro that enables a firewall by default and thus creates a lot of trouble for many users. I think I mentioned that before, and I can only repeat it here: we should not ship a firewall enabled by default, like we currently do. If an application cannot be trusted then it should not be allowed to listen on a port by default in the first place. A firewall is an extra layer of security that simply hides the actual problem. How do you want to get to it should not be allowed to listen on a port by default? Maybe with SELinux? Yes, SELinux is fine for that. Or simply by not shipping the app at all if it's shit. According to your own statement SELinux is disabled for most users. Therefore this is not possible. An other thing: How do you limit access to a network segment with SELinux? For this you need to have a firewall. Please remember that you might not want to share your database for use in your home office intranet with the world if you are connected to a internet wifi access point while waiting for a flight. Here it should be possible to specify the type of the connection and mark the wifi connection as non trusted. Changing the configuration of the service itself might lead to a configuration chaos, because you have to be able to configure every service properly according to your black and white lists. Also do not forget to think about security holes in applications and services. They do exist. Saying that you do not need to have the system as secure as possible, because there is no risk is like ignoring reality. If you want to drop all packages, which have or had at minimum one security problem, then you will end up without any applications and packages. Lennart Thomas -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Charles Butterfield wrote: * My supported NVIDIA card (Quadro NVS 295) Supported by what? Who said it's supported? If it's NVidia, that's irrelevant, as their driver is proprietary and NOT supported or included in Fedora. Kevin Kofler -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, 2009-06-14 at 19:36 +0100, Matthew Garrett wrote: there is an interesting issue; if you poke a hole in your firewall for all the ports that are listening automatically. you might as well not have a firewall in the first place... Well, not exactly. For instance, making it part of package management policy means that runtime user-level compromises can't poke holes. It could be tied to packages with recognised signatures. There's various ways that it could be tied down in such a way that the firewall still provides a benefit without leaving users in the current situation of I installed nss-mdns and I still can't look up my media server. Here's another variation on the popular AdamW theme Wot Mandriva Does... Mandriva has a firewall configuration tool with a neat feature. Ports can be associated with packages (in the code, not by the user). So, oh, say, the default port most bittorrent apps use (I forget what it is, 8881 or something) is associated with all the packages in Mandriva which do bittorrent. When you run the firewall configuration tool, if any of those packages is installed, a Bittorrent checkbox shows up in the 'dead simple' interface - just check the box and Bittorrent magically works! I used this for Windows Mobile sync stuff: WM sync requires something of an assortment of ports to be open in the firewall (four of five of 'em). So I just made the firewall config tool associate that set of ports with the libsynce package; if you have libsynce installed, the firewall config tool gives you a nice little checkbox (marked 'Windows Mobile Synchronization' or something) that opens all those ports for you. It's a rather old system that looks a bit hacky from one perspective, but seems to satisfy the requests in this thread rather well: it's very easy to use but doesn't just open the firewall automatically. Well, just an observation. I can provide a link to the code if anyone cares, but if Fedora wanted to do something similar it'd probably just get re-done from scratch, as MDV's code is of course in perl... -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Tue, 2009-06-16 at 16:39 -0700, Adam Williamson wrote: On Sun, 2009-06-14 at 19:36 +0100, Matthew Garrett wrote: there is an interesting issue; if you poke a hole in your firewall for all the ports that are listening automatically. you might as well not have a firewall in the first place... Well, not exactly. For instance, making it part of package management policy means that runtime user-level compromises can't poke holes. It could be tied to packages with recognised signatures. There's various ways that it could be tied down in such a way that the firewall still provides a benefit without leaving users in the current situation of I installed nss-mdns and I still can't look up my media server. Here's another variation on the popular AdamW theme Wot Mandriva Does... snippety sigh, now I actually check system-config-firewall and see that it looks like it does much the same thing. I could really do with that Google 'cancel my last email' button in Evolution :) -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Mon, 2009-06-15 at 12:22 -0800, Jeff Spaleta wrote: On Mon, Jun 15, 2009 at 11:42 AM, Casey Dahlincdah...@redhat.com wrote: The ability for nautilus to prompt for credentials when the user tries to do something outside his permission level has been missing for far too long. Its annoying to implement, but I'll owe a beer to whoever finally does it. I just threw that out as one example of how to think like a new admin when figuring out how to perform an administrative task for the first time would end up trying to re-login as root in order to get access to gui tools to make up for a lack of familiarity with the command line. This is precisely one of the things PolicyKit solves (or will solve). The best thing about PolicyKit is that it allows apps to elevate privileges for a specific operation (or set of operations) and drop them once it no longer needs them. So, with appropriate PolicyKit goodness added, a gedit running as a normal user, editing /etc/X11/xorg.conf , when you clicked 'Save', would not say oh noes! I do not have the powah to do that! must drink more milk!, but would ask you for authentication according to the appropriately PolicyKit...policy, and if you passed the test, go ahead and save the file. Nautilus would do the same when running as a normal user if you tried to move a file that your user doesn't have the power to move. And so on. And the system administrator could disable this if she felt she didn't like it, or change the authentication details in any one of several ways...PolicyKit, in short, is really frickin' awesome, and this will become more obvious once more applications implement support for it to do things that just weren't realistically possible before. Ve haf zer technology, already. :) it's just a case of adding code to more apps to take advantage of the awesomeness of PolicyKit, and I believe this is scheduled to happen. For the record, there is exactly one legitimate use case for logging into the desktop as root that I've ever come across: using a graphical utility to manipulate your /home partition. For obvious reasons, you can't do this from a regular user session with 'su'. However, I consider this sufficiently unusual a case for go to a console, login as root, do startx to be a good enough solution. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Tue, 2009-06-16 at 16:17 -0800, Jeff Spaleta wrote: Its the next circle, the less frequent administrative chore tasks, that I'm not sure its well defined in terms of which applications need PolKit support added in. Maybe Nautilus is that circle, maybe its not. Maybe its not time to start work on the stuff in that circle. But I think it would be a good idea to define that next circle of functionality as the currently boundary between what you can comfortably do and not do without cmdline knowledge and to give pointers as to where the next priorities are for PolKit integration work. Enabling nautilus to operate on files not owned by yourself has certainly been one of the envisioned use cases for PolicyKit right from the start. It just hasn't been done yet. If someone wants to investigate that, nautilus-l...@gnome.org is a friendly and helpful place... Matthias -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On 06/16/2009 07:57 PM, Adam Williamson wrote: On Mon, 2009-06-15 at 12:22 -0800, Jeff Spaleta wrote: On Mon, Jun 15, 2009 at 11:42 AM, Casey Dahlincdah...@redhat.com wrote: The ability for nautilus to prompt for credentials when the user tries to do something outside his permission level has been missing for far too long. Its annoying to implement, but I'll owe a beer to whoever finally does it. I just threw that out as one example of how to think like a new admin when figuring out how to perform an administrative task for the first time would end up trying to re-login as root in order to get access to gui tools to make up for a lack of familiarity with the command line. This is precisely one of the things PolicyKit solves (or will solve). The best thing about PolicyKit is that it allows apps to elevate privileges for a specific operation (or set of operations) and drop them once it no longer needs them. So question: my feeling is that the other part of policy kit that is important is that it puts all the access policy in one place. sudo would be in violation of this, since it has its own quite intricate file full of policy configuration. I think that an implementation of sudo should be provided that gets its configuration entirely or in part from policy kit. Right now I see this as a new program that is a drop-in sudo replacement (sudo and polkit-sudo would use the alternative system). Thoughts? I'm ready to hack it together. --CJD -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On 15/06/09 01:24, Guido Grazioli wrote: That said, I agree the wheel group should be enabled with sudo, though I disagree that the initial install user should be automatically added to it. But then again, I hate sudo :P I do most scripting that requires root access via root logins directly with ssh and keys. i completely agree and do mostly the same; it would be a good idea (or at least, imho better than an option to add the user to wheel group) to have a generate dsa keypair and add to root authorized_keys checkbox during firstboot user creation. Then just ssh -X for your daily needed root tasks I understand ssh into another box, but this gives the impression that ssh should be used for the box your sitting in front of? Frank -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Charles Butterfield, Sat, 13 Jun 2009 22:19:17 -0400: Okay, so I mostly love Fedora. However, here are 4 things that got by blood really, really boiling, so I thought I'd share my emotions. They are mostly policy issues, where I think you have gotten it very very wrong. DON'T FEED THE TROLL!!! /plonk -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Lennart Poettering wrote: On Sun, 14.06.09 18:34, Matthew Garrett (m...@redhat.com) wrote: So, solving this is pretty easy, even for newbies. But I agree that the error message will not help someone without advanced knowledge. Although I think people running Samba generally will know where to look for the problem. I think this is actually a problem that needs solving. We have several network services that are either installed by default or might be expected to be part of a standard setup, but which don't work because of the default firewall rules. The Anaconda people have (sensibly, IMHO) refused to simply add further exceptions to the firewall policy. So, what should happen here? Should we leave the firewall enabled in these cases* by default and require admins to open them? If so, is there any way that we can make this easier in some Packagekit-oriented manner? If not, how should we define that packages indicate that they need ports opened? Should this be handled at install time or run time? Gah. Allowing packages to pierce the firewall just makes the firewall redundant. I still think that the current firewall situation on Fedora is pretty much broken. It's a bit like SELinux: it's one of the first features most people disable. SELinux and the firewall configuration are trying to make the system secure before something happens. If your system is compromised, then it is far too late to react. If you do not care about security, then disable it and have fun with the results. I wonder why other systems are getting more restrictive and secure over time and for Linux people request the opposite direction. Fedora is the only big distro that enables a firewall by default and thus creates a lot of trouble for many users. I think I mentioned that before, and I can only repeat it here: we should not ship a firewall enabled by default, like we currently do. If an application cannot be trusted then it should not be allowed to listen on a port by default in the first place. A firewall is an extra layer of security that simply hides the actual problem. How do you want to get to it should not be allowed to listen on a port by default? Maybe with SELinux? Please remember that there are still services like for example RPC that are using random ports which might be one of those that are open. Now, it's my impression that some people who control the packages in question and believe in all this security theater more than I do, seem to be unwilling to loosen the default firewall. So as a bit of a compromise here's what I suggest: I do not think that security is a theater. If the system you are using lacks security and someone could copy and/or remove your private or work data, then you might have big problems. Add a very simple per-interface firewall profile system to NetworkManager. Something that is easily reachable from the NM applet. Something with just two simple profiles by default: one that allows everything for use in trusted networks, and one that just allows DNS, HTTP, VPN for use in untrusted networks (i.e. airport APs). Admins could then add more profiles if they feel the need for it. And one could bind those profiles to specific networks, so that people would just have to configure them once. Of course, as mentioned, these firewall profiles need to be per-interface so that a vpn interface can be trusted, while the underlying WLAN iface doesn't have to be trusted. If there would be a mechanism to define the type of an internet connection or a network segment, then it would surely be possible to make this work even with system-config-firewall. But at the moment there is no such mechanism. Here is the latest request to add a mechanism like this: https://bugzilla.redhat.com/show_bug.cgi?id=472784 Lennart Thomas -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Matthew Garrett wrote: On Sun, Jun 14, 2009 at 06:13:51PM +0200, Julian Aloofi wrote: So, solving this is pretty easy, even for newbies. But I agree that the error message will not help someone without advanced knowledge. Although I think people running Samba generally will know where to look for the problem. I think this is actually a problem that needs solving. We have several network services that are either installed by default or might be expected to be part of a standard setup, but which don't work because of the default firewall rules. The Anaconda people have (sensibly, IMHO) refused to simply add further exceptions to the firewall policy. So, what should happen here? Should we leave the firewall enabled in these cases* by default and require admins to open them? If so, is there any way that we can make this easier in some Packagekit-oriented manner? If not, how should we define that packages indicate that they need ports opened? Should this be handled at install time or run time? * The case that I keep hitting is mDNS resolution, which requires opening a hole in the firewall The question here is: For whom do you want to open the firewall? For your private network at home or also the wifi connection in the internet cafe? A mechanism has to be added to define the type of a network connection or a network segment. Thomas -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, 2009-06-14 at 10:35 +0200, Martin Sourada wrote: On Sat, 2009-06-13 at 22:19 -0400, Charles Butterfield wrote: * Samba (outbound) browsing requires firewall mods I don't know how Samba works, so forgive me if I say obvious stupidity, but shouldn't *client* work even behind closed firewall (like with any other services like ssh, ftp, ...)? Isn't this a samba bug then? Samba will do a broadcast name resolution to look up the hostname of the target. This is in line with expected windows behaviour we are asked to eumulate. Unless helped otherwise (ip_conntrack_netbios_ns) it does not know that the unicast datagram in return is to be matched to the outbound broadcast. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. signature.asc Description: This is a digitally signed message part -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Mon, 15.06.09 12:41, Thomas Woerner (twoer...@redhat.com) wrote: So, what should happen here? Should we leave the firewall enabled in these cases* by default and require admins to open them? If so, is there any way that we can make this easier in some Packagekit-oriented manner? If not, how should we define that packages indicate that they need ports opened? Should this be handled at install time or run time? Gah. Allowing packages to pierce the firewall just makes the firewall redundant. I still think that the current firewall situation on Fedora is pretty much broken. It's a bit like SELinux: it's one of the first features most people disable. SELinux and the firewall configuration are trying to make the system secure before something happens. If your system is compromised, then it is far too late to react. If you do not care about security, then disable it and have fun with the results. You know, there is one big difference between SELinux and the default Firewall. The former doesn't inhibit the use of an application (at least if the policy is written correctly) because it whitelists every operation an application should be able to use but nothing else. OTOH the default firewall actively breaks a lot of applications we ship by default. It most of the time it even does that silently, without reporting EPERM or suchlike back to the application. Really, if SELinux is set up properly nobody should notice it. However the default firewall breaks a lot of services, and is hence very much noticeable. I wonder why other systems are getting more restrictive and secure over time and for Linux people request the opposite direction. Oh my. I wonder why other systems work by default and Fedora doesn't. Fedora is the only big distro that enables a firewall by default and thus creates a lot of trouble for many users. I think I mentioned that before, and I can only repeat it here: we should not ship a firewall enabled by default, like we currently do. If an application cannot be trusted then it should not be allowed to listen on a port by default in the first place. A firewall is an extra layer of security that simply hides the actual problem. How do you want to get to it should not be allowed to listen on a port by default? Maybe with SELinux? Yes, SELinux is fine for that. Or simply by not shipping the app at all if it's shit. Lennart -- Lennart PoetteringRed Hat, Inc. lennart [at] poettering [dot] net http://0pointer.net/lennart/ GnuPG 0x1A015CC4 -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Lennart Poettering (mzerq...@0pointer.de) said: It's not just that ens1371 is shown as unrealistically popular, es1371 is what either QEMU or VMWare emulates. Bill -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Jeff Spaleta wrote: I wonder, Would there be a reliable way to separate out emulated hardware inside the smolt database reliably so we can get a better statistical survey of in-service physical hardware devices? QEMU inserts its name into the CPU string does it not? It could be sorted that way. If it's VMware or VirtualBox the only way to know would be to grab BIOS/DMI data. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sunday 14 June 2009, Richard Fearn wrote: We have the wheel group which would fit the bill. Yeah, I always uncomment the %wheel line in sudoers and then add myself to that group. Ditto. See also https://bugzilla.redhat.com/show_bug.cgi?id=462161 -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, Jun 14, 2009 at 09:57:56PM -0500, Mike McGrath wrote: On Sun, 14 Jun 2009, Mike McGrath wrote: On Mon, 15 Jun 2009, Lennart Poettering wrote: On Mon, 15.06.09 09:15, James Morris (jmor...@namei.org) wrote: On Sun, 14 Jun 2009, Lennart Poettering wrote: much broken. It's a bit like SELinux: it's one of the first features most people disable. False. Most people leave SELinux enabled, according to the smolt stats which have been collecting since the F8 era. Are you speaking of the same smolt that lists es1371 as most popular sound card? i.e. a sound card that has been out of production since about 10 years now? Somehow I have serious doubts about the validity of the smolt data. Based on actual data research or your gut? Sidenote on this specific device, seems vmware emulates it so we should probably continue to support it :) The percentage column seems odd to me. Only 6% of users have the most popular sound device? I'm also surprised that the majority of our users that submit smolt data don't seem have any sound device at all. I always expected the server/desktop balance to be quite heavily skewed towards desktop. Dave -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Mon, 15 Jun 2009, Seth Vidal wrote: On Mon, 15 Jun 2009, Lennart Poettering wrote: On Mon, 15.06.09 14:47, Dave Jones (da...@redhat.com) wrote: As already mentioned, smolt never heard of HDA. Either I am blind or there is no trace at all of HDA devices in this web UI. Maybe I'm confused - hda is the driver - bu the devices are an array of ICH devices, right? I see A LOT of those in smolt. I am pretty sure HDA is the most popular sound driver these days, and smolt is just lieing about it. I'm betting it is just returning another value than what you expect. Lieing might be a strong term to use, don't you think? and one more thing http://smolts.org/reports/view_devices?device=HDAsearch=Submit+Query sure shows a lot of things. -sv -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On 06/15/2009 03:04 PM, Robert Marcano wrote: On Mon, Jun 15, 2009 at 2:17 PM, Casey Dahlincdah...@redhat.com wrote: The problem that does arise is: just because apache is installed doesn't mean its running. Really, init scripts should open the firewall ports they need when their service comes up (and I'll propose something for upstart 1.0 later today to make that make more sense.) My use case, I run httpd on my laptop, the port is closed because I do development on it, but sometimes when I need to test from a remote machine, I just open it because I know I am on a controlled environment. I do not want the initscripts to decide when I am on a safe network I'll keep this in mind. --CJD -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Casey Dahlin wrote: Really, init scripts should open the firewall ports they need when their service comes up (and I'll propose something for upstart 1.0 later today to make that make more sense.) How is that supposed to work when I only want to allow connections to a service on a whitelist of IP addresses? Right now I do this with static iptables rules that I have set up (which, since I am never /not/ running the daemon in question, doesn't have any drawbacks I can think of off the top of my head). -- Matthew Please do not quote my e-mail address unobfuscated in message bodies. -- End of Transmission -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Mon, 15 Jun 2009, Lennart Poettering wrote: On Mon, 15.06.09 14:47, Dave Jones (da...@redhat.com) wrote: Are you speaking of the same smolt that lists es1371 as most popular sound card? i.e. a sound card that has been out of production since about 10 years now? Somehow I have serious doubts about the validity of the smolt data. Based on actual data research or your gut? Sidenote on this specific device, seems vmware emulates it so we should probably continue to support it :) The percentage column seems odd to me. Only 6% of users have the most popular sound device? I'm also surprised that the majority of our users that submit smolt data don't seem have any sound device at all. I always expected the server/desktop balance to be quite heavily skewed towards desktop. As already mentioned, smolt never heard of HDA. Either I am blind or there is no trace at all of HDA devices in this web UI. I am pretty sure HDA is the most popular sound driver these days, and smolt is just lieing about it. Did you try searching for it? Smolt has a search function. -Mike -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On 06/14/2009 09:13 PM, Simo Sorce wrote: On Sun, 2009-06-14 at 14:23 -0800, Jeff Spaleta wrote: On Sun, Jun 14, 2009 at 6:45 AM, Simo Sorcesso...@redhat.com wrote: I haven't done a graphical root login in the past 10 years probably and on multiple distribution. Graphical root login is meaningless. Let me ask you a question as an example to better define the expectation on behavior that people have on what it means to administer a computer system. Can you run the thread audience through the steps on how you personally go about changing permissions on a root owned file or directory on a Fedora install to give write access to an admin user.. using nothing but graphical tools as installed by default in the Fedora Desktop? I honestly don't know how to do it. And I wouldn't think to do it that way. I'll reach for the commandline somewhere in the process whether it be to configure sudo or just doing the chmod under su. Nautilus exposes permissions for root owned files but I don't see an obvious hook that allows me to use existing authorization infrastructure to gain access to change those permissions as an admin user under nautilus. But for someone else...someone new who didn't waste time learning how to banner attack their classmates logged into the school's Vax system via a serial connection, someone who is installing a linux system for personal use and learning how to interact with that system and is basically their own admin...,they may instinctively reach for a graphical way to do stuff like file permissions manipulations. root login may realistically be the simplest way they know to gain access to graphical tools to perform simple operations that the user desktop does not allow. Its great that sudo exists and can be configured but how do you discover that tool as a new user doing a self-administered install? Nautilus is the obvious, intuitive for file management tasks, and if the only graphical way to get to a version of nautilus that can manipulate system files is to login as root..then it sort of makes sense that inexperienced users will attempt to do that..because its the logic of behavior the that graphical tool UI suggests. If there is an expectation that users can work with the graphical tools to do simple administrative tasks, I'm not sure enough thought has been put into how to self-consistently expose that functionality. You certainly have a point here Jeff. Simo. The ability for nautilus to prompt for credentials when the user tries to do something outside his permission level has been missing for far too long. Its annoying to implement, but I'll owe a beer to whoever finally does it. --CJD -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Matthew Woehlke wrote: Configuration is fine, just as long as there /is/ configuration and not running a service always exposes it to the world with no way to prevent that. (Prevention by editing init-scripts doesn't count ;-).) That's terrible. Unfortunately, I noticed after hitting 'send' :-(. I meant (adding quotes, to properly group ideas): Configuration is fine, just as long as there /is/ configuration and not running a service always exposes it to the world with no way to prevent that. -- Matthew Please do not quote my e-mail address unobfuscated in message bodies. -- End of Transmission -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Mon, Jun 15, 2009 at 11:42 AM, Casey Dahlincdah...@redhat.com wrote: The ability for nautilus to prompt for credentials when the user tries to do something outside his permission level has been missing for far too long. Its annoying to implement, but I'll owe a beer to whoever finally does it. I just threw that out as one example of how to think like a new admin when figuring out how to perform an administrative task for the first time would end up trying to re-login as root in order to get access to gui tools to make up for a lack of familiarity with the command line. I'm sure there are other easy to reach for examples to illustrate the point. We've got a set of task specific GUI tools that make use of the authorizations framework that helps a lot when normal usage patterns requires a user to act as an admin( without really having to realize it). But I'm not sure we've collectively got our heads around the use case the defines the collective needs of the novice administrator and sets a boundary beyond which command line familiarity is expected. .File permissions may or not be one of those things we expect to fall into that novice boundary. It's difficult for me to even make a suggestion as to where the boundary is, I reach for the commandline a lot more often than I strictly need to with the current set of UI tools available. -jef -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On 06/15/2009 04:22 PM, Jeff Spaleta wrote: On Mon, Jun 15, 2009 at 11:42 AM, Casey Dahlincdah...@redhat.com wrote: The ability for nautilus to prompt for credentials when the user tries to do something outside his permission level has been missing for far too long. Its annoying to implement, but I'll owe a beer to whoever finally does it. I just threw that out as one example of how to think like a new admin when figuring out how to perform an administrative task for the first time would end up trying to re-login as root in order to get access to gui tools to make up for a lack of familiarity with the command line. I'm sure there are other easy to reach for examples to illustrate the point. We've got a set of task specific GUI tools that make use of the authorizations framework that helps a lot when normal usage patterns requires a user to act as an admin( without really having to realize it). But I'm not sure we've collectively got our heads around the use case the defines the collective needs of the novice administrator and sets a boundary beyond which command line familiarity is expected. .File permissions may or not be one of those things we expect to fall into that novice boundary. It's difficult for me to even make a suggestion as to where the boundary is, I reach for the commandline a lot more often than I strictly need to with the current set of UI tools available. -jef Maybe we should just make the command line more friendly so users don't mind reaching for it. I vote we add clippy. --CJD -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Mon, Jun 15, 2009 at 2:34 AM, Lennart Poetteringmzerq...@0pointer.de wrote: On Sun, 14.06.09 16:11, Jeff Spaleta (jspal...@gmail.com) wrote: On Sun, Jun 14, 2009 at 3:36 PM, Lennart Poetteringmzerq...@0pointer.de wrote: Are you speaking of the same smolt that lists es1371 as most popular sound card? i.e. a sound card that has been out of production since about 10 years now? Somehow I have serious doubts about the validity of the smolt data. You might have found a bug in the tallying there in how cards are self-identifying product strings. ci devices identify them via numeric ids only, the strings come from the hwdata databases. You'll notice the same exact entry is listed twice in the Audio device table. Are cards using the ENS1371 driver misreporting their vendor/card version info? There are only 5 listings in the table for the ENS1371 driver. There are dozens listed for the Intel ICH driver. I bet if you totalled up counts by driver, things would look more sensible to you with intel being a reasonably large percentage of the drivers in use. It's not just that ens1371 is shown as unrealistically popular, it's also that it doesn't know a single HDA device. I mean, seriously... what will smolt claim next? that santa claus exists? It is the card which qemu/kvm emulates .. that is the source of this data (not real hw installations) -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Mon, Jun 15, 2009 at 10:33 PM, Casey Dahlincdah...@redhat.com wrote: Maybe we should just make the command line more friendly so users don't mind reaching for it. I vote we add clippy. yum install hotwire ;) -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Mon, Jun 15, 2009 at 12:33 PM, Casey Dahlincdah...@redhat.com wrote: Maybe we should just make the command line more friendly so users don't mind reaching for it. I vote we add clippy. I'm not saying that necessarily needs to be friendlier to use but it may need to be more discoverable as to when it is expected to be used. What I am saying is, there maybe a gap in the reality and assumed expectation on where and when self-installing novice administrators should be diving into the commandline. Nothing in how our default live CD based install experience is put together points to the commandline as a tool for doing infrequent oddball tasks not explicitly covered in by the task specific gui tools in the system menu. Is the expectation that configuring sudo for their user or the wheel group is a best practice for these sort of infrequent tasks? Do we have system interactions designed in such a way that encourages commandline usage best practices? Lacking any system interaction that points to running tasks in a terminal under sudo, trying to login to gdm as root to gain enough privileges to do file re-permissioning or editting system wide config files seems like an obvious thing novice admins would try doing and be frustrated by when that didn't work. -jef -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sat, 13 Jun 2009 22:19:17 -0400 Charles Butterfield charles.butterfi...@nextcentury.com wrote: Okay, so I mostly love Fedora. However, here are 4 things that got by blood really, really boiling, so I thought I'd share my emotions. They are mostly policy issues, where I think you have gotten it very very wrong. Well, wrong is a fairly subjective term, but each to their own. :-D Just installed F11 64 bit, here are the things I hate about it in the first 30 minutes (of course there are a lot of things I like too, but they work, these don't). No doubt more will crop up. * Root gdm login - gets harder every release - SHAME ON YOU root nazis! Ich bin ein secure user and you should be too. Logging in as root into X directly (or the console for that matter) is a *bad idea*. Yes a *BAD IDEA* This isn't specific to Fedora or even Linux/UNIX for that matter (Savvy Windows admins have been trying this too to no avail. They do exist, in times past I was one..) With the likes of sudo / ConsoleKit / console-helper et. al you should never, ever need to run an extended session as root. Your day-to-day work can be done perfectly well as a standard non-privileged user, the applications that *need* root, especially in X, are hooked into consolehelper/ConsoleKit anyway and will prompt you for the root password in any case (when run as a regular user) As a systems administrator I applaud this idea, as it stops people from shooting themselves in the foot (which is more like a Howtizer, be it a desktop or server) As a BOFH I'd like to see it extended further, lecturing/LARTing the user for even attempting root login on X/direct tty :-P * Samba (outbound) browsing requires firewall mods Turn off the firewall (if you're on a trusted local network) or punch the required holes (137-139,445,kerberos) via system-config-firewall otherwise. The default firewall is quite strict, which given that new users are often ignorant of UNIX security is not such a bad idea (see bullet/foot above) * Jamming SELinux enforcing mode with no query during install I've done reinstalls and upgrades and not seen a denial AVC - I believe if it runs during the installer it would be a permissive / targeted mode. I did have SELinux break an upgrade but that was many releases back, and a relabel fixed it. And a bug: * My supported NVIDIA card (Quadro NVS 295) is not detected - okay this may not be due to overt, mulish arrogance, but I did check the supported card list and it is really annoying. While noveau is better than prior releases, it's not perfect - I have a 8800GS - noveau works but it kernel panics and glitched out on me on a couple of occasions (suspect my system has a conflict somewhere) - the nvidia binary blob works, it's not my preference but got things going. I'll give it another whirl in a future update My card is supported too, but it doesn't mean it's perfect. The first 3 items are just freaking absurd and represent some sort of political agenda combined with astonishing arrogance. You forgot the IMHO. Can you outline this political agenda you speak of, or are you being melodramatic? I happen to believe the reasons are much simpler - sound technical and *secure* usability. We're not being bastards for the sake of it. Is a graphical root login dangerous -- of course! So are a lot of things, which have obvious enable/disable controls. Was this this discussed in the release note? - NO. Should it be inhibited by an ever-increasing set of obscure work-arounds (in this case an new file to edit in F11)? Of course not. Again, you forgot the IMHO. Your case is (hopefully) a minority one - most users won't know or care, those that do will try and find out how to enable it if they *really* want it. Making it simple to do something that is inherently dangerous is just bad practice and WILL bite users on the backside. (Well as was pointed out to me in thread http://forums.fedoraforum.org/showthread.php?t=223793 this is discussed... but in non-highlighted text at the end of the boring last bullet suggesting you save and close). And why on earth show the stupid Windows Network if it doesn't work -- just gives an obscure error message Failed to retrieve share list from server. If you install the client, the reasonable man would open the ports, OR provide a cluefull error message. Take up the error message with the nautilus developers - it's technically correct (if the firewall is closed then the browse list will not be retrievable from the DC/browse master) but not very specific. The firewall case is different again: The precise ports to open vary by environment (are you on an Active Directory domain or a Samba3/NT4 style domain? The ports differ slightly between versions) Also changing system security silently and dynamically in a package install, without the user/admin's knowledge is a definite no-no. SELinux - enforcing So all the bugs are worked out? I think
Re: What I HATE about F11
On Sat, 2009-06-13 at 22:19 -0400, Charles Butterfield wrote: snip * Root gdm login - gets harder every release - SHAME ON YOU root nazis! You can always init 3, login as root and startx if you *really need* graphical root login (or use su in gnome-terminal or whatever gui terminal is your favourite). I think that disabling root login in gdm is fairly good security measure for noobs coming windows while experienced administrators still know what to do if they need it. But I've never really needed gui root login for the 4 past years I've been using Fedora linux. * Samba (outbound) browsing requires firewall mods I don't know how Samba works, so forgive me if I say obvious stupidity, but shouldn't *client* work even behind closed firewall (like with any other services like ssh, ftp, ...)? Isn't this a samba bug then? * Jamming SELinux enforcing mode with no query during install Well, what works for me does not tell anything in general, but for the first time, I've been using SELinux enforcing mode since installing Fedora 11 Alpha. It does not get into my way. And a bug: * My supported NVIDIA card (Quadro NVS 295) is not detected - okay this may not be due to overt, mulish arrogance, but I did check the supported card list and it is really annoying. I don't know how to read this. Your X does not start? Or does it start with weird resolution? What are the results of the card not being detected? Which drivers does not work (nouveau, nv, proprietary one)? Have you filled a bug? Martin signature.asc Description: This is a digitally signed message part -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Hi, To be honest, I like the Ubuntu way of adding a sudoers entry for the first user that gets created. Then suggest it as a feature for F12 That is actually a very good idea. Ubuntu has an admin group, and users in that group can use sudo due to this line in sudoers: %admin ALL=(ALL) ALL I might suggest this as a feature unless anyone else wants to (or thinks I shouldn't) ? Rich -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Ubuntu has an admin group, and users in that group can use sudo due to this line in sudoers: %admin ALL=(ALL) ALL I might suggest this as a feature unless anyone else wants to (or thinks I shouldn't) ? # grep -n wheel /etc/sudoers 81:## Allows people in group wheel to run all commands 82:# %wheel ALL=(ALL) ALL 85:# %wheel ALL=(ALL) NOPASSWD: ALL All you have to do is uncomment one line ;) -- Mathieu Bridon (bochecha) -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
# grep -n wheel /etc/sudoers 81:## Allows people in group wheel to run all commands 82:# %wheel ALL=(ALL) ALL 85:# %wheel ALL=(ALL) NOPASSWD: ALL All you have to do is uncomment one line ;) That's exactly what I do, followed by: $ usermod -a -G wheel rich But wouldn't it be nice if this line was uncommented by default, and firstboot added the first user to this group automatically? Rich -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, 2009-06-14 at 10:35 +0200, Martin Sourada wrote: On Sat, 2009-06-13 at 22:19 -0400, Charles Butterfield wrote: snip * Root gdm login - gets harder every release - SHAME ON YOU root nazis! You can always init 3, login as root and startx if you *really need* graphical root login (or use su in gnome-terminal or whatever gui terminal is your favourite). I think that disabling root login in gdm is fairly good security measure for noobs coming windows while experienced administrators still know what to do if they need it. But I've never really needed gui root login for the 4 past years I've been using Fedora linux. I haven't done a graphical root login in the past 10 years probably and on multiple distribution. Graphical root login is meaningless. * Samba (outbound) browsing requires firewall mods I don't know how Samba works, so forgive me if I say obvious stupidity, but shouldn't *client* work even behind closed firewall (like with any other services like ssh, ftp, ...)? Isn't this a samba bug then? Samba as a client needs to listen for Netbios packets replies (UDP) to do browsing, so since F-10 (yes this is not something new in F-11) the firewall has strict rules and there is a samba client specific rule. * Jamming SELinux enforcing mode with no query during install Well, what works for me does not tell anything in general, but for the first time, I've been using SELinux enforcing mode since installing Fedora 11 Alpha. It does not get into my way. I've been developing even on F-11 pres and on F-10 with SELinux enforcing. I had a relabeling problem only after the upgrade process done during beta (where you don't expect everything to work fine anyway). No real problem whatsoever for regular usage. Simo. -- Simo Sorce * Red Hat, Inc * New York -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Jun 14, 2009, at 5:31, Richard Fearn richardfe...@gmail.com wrote: Hi, To be honest, I like the Ubuntu way of adding a sudoers entry for the first user that gets created. Then suggest it as a feature for F12 That is actually a very good idea. Ubuntu has an admin group, and users in that group can use sudo due to this line in sudoers: %admin ALL=(ALL) ALL I might suggest this as a feature unless anyone else wants to (or thinks I We have the wheel group which would fit the bill. -- Jes -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, Jun 14, 2009 at 17:45:43 +1000, Michael Fleming mflem...@thatfleminggent.com wrote: I've done reinstalls and upgrades and not seen a denial AVC - I believe if it runs during the installer it would be a permissive / targeted mode. I did have SELinux break an upgrade but that was many releases back, and a relabel fixed it. There is a bit of confusion here. It doesn't make sense to alternate permissive and targeted. SELinux can be disabled, running in permissive mode or enforcing mode. Fedora has 3 differently policies provided for you to use, mimimum, targeted and mls. The old strict policy has been merged into targeted. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
We have the wheel group which would fit the bill. Yeah, I always uncomment the %wheel line in sudoers and then add myself to that group. Hmmm, having looked at the Features guidelines I'm not sure if this warrants a feature page or not. It would only involve a change to the default sudoers file, and a change to firstboot to add the first user to the wheel group. Can someone from FESCo help out here? Should I make a feature page for this or not? Thanks, Rich -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On 14/06/09 16:07, Orcan Ogetbil wrote: snip However I agree with you that samba is always a pain to setup on new systems. I do not hate it, but I wish this had been made easier. Logging into X as root? I can't comment on this as I didn't ever feel the need to do that. I didn't know it was prevented by a Nazi force. They probably have a very good reason. Peace, Orcan Why not install ebox-platform. Frank -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
The way it is done right now, you have a system that might give too few permissions to some users. If that causes a problem, you'll notice it, and you can correct it in a very simple way (uncomment one line and add a user to a group). However, if we change the default, you have a system that may be giving too much permissions to some users depending on your taste. And the worse part is that you (as an admin) might not even know it ! I think uncommenting the line by default would be OK as on the two F11 systems I have the only user in the wheel group is root. I had to manually add myself to wheel to get extra permissions. If you install the system, you know the root password, so you can use su to get a root prompt anyway. So I suppose it comes down to whether we should be adding users to the wheel group by default. I guess it could be a checkbox in firstboot... Allow this user to perform administrative tasks or something. Then administrators could choose whether or not to add the user to wheel. IMHO, stricter by default in such a case is better. It's easier to add permissions, open holes when you need them, rather than having to chase some opened-by-default holes you don't even know about. I agree, but if this were an option in firstboot I think it would be obvious. Rich -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, 2009-06-14 at 15:59 +0100, Richard Fearn wrote: We have the wheel group which would fit the bill. Yeah, I always uncomment the %wheel line in sudoers and then add myself to that group. Hmmm, having looked at the Features guidelines I'm not sure if this warrants a feature page or not. It would only involve a change to the default sudoers file, and a change to firstboot to add the first user to the wheel group. Can someone from FESCo help out here? Should I make a feature page for this or not? Thanks, Rich You're going to be touching multiple packages, asking people to write code for you, and needing to change documentation and user expectations. I would warrant that this very much is a feature. -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating signature.asc Description: This is a digitally signed message part -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, Jun 14, 2009 at 05:10:14PM +0200, Mathieu Bridon (bochecha) wrote: However, if we change the default, you have a system that may be giving too much permissions to some users depending on your taste. And the worse part is that you (as an admin) might not even know it ! The semantics of the wheel group are pretty well defined. -- Matthew Garrett | mj...@srcf.ucam.org -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Am Sonntag, den 14.06.2009, 17:10 +0200 schrieb Mathieu Bridon The way it is done right now, you have a system that might give too few permissions to some users. If that causes a problem, you'll notice it, and you can correct it in a very simple way (uncomment one line and add a user to a group). However, if we change the default, you have a system that may be giving too much permissions to some users depending on your taste. And the worse part is that you (as an admin) might not even know it ! IMHO, stricter by default in such a case is better. It's easier to add permissions, open holes when you need them, rather than having to chase some opened-by-default holes you don't even know about. Full ACK. Stricter by default is definitely better, changing on little line is not too hard. Charles Butterfield wrote: Samba (outbound) browsing requires firewall mods So, solving this is pretty easy, even for newbies. But I agree that the error message will not help someone without advanced knowledge. Although I think people running Samba generally will know where to look for the problem. signature.asc Description: Dies ist ein digital signierter Nachrichtenteil -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
The way it is done right now, you have a system that might give too few permissions to some users. If that causes a problem, you'll notice it, and you can correct it in a very simple way (uncomment one line and add a user to a group). However, if we change the default, you have a system that may be giving too much permissions to some users depending on your taste. And the worse part is that you (as an admin) might not even know it ! Bikeshed! Must be some weird stuff smoking admin who simply adds someone to the wheel group not knowing what that group was for! The purpose of the wheel group has always been to be used for more privileged users. http://en.wikipedia.org/wiki/Wheel_%28Unix_term%29 http://catb.org/~esr/jargon/html/W/wheel.html Did I say the contrary ? I don't think so, but being a non-native english speaker, I might have said something I didn't want to :) I didn't say the wheel group was a nonsense or a problem. I was responding to Richard who wanted the line to be uncommented (harmless per se) AND the first user to be added to the wheel group by default. Having the admin's user in the wheel group to be able to use sudo for administrative tasks is a great idea. I just don't think it should be added by default, without an explicit consent of the admin. For example, a « add to the wheel group » checkbox in system-config-users and firstboot could be great. Not sure it would be a good idea to have it checked and hidden by default. Regards, -- Mathieu Bridon (bochecha) -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, Jun 14, 2009 at 6:13 PM, Julian Aloofijulian.fedorali...@googlemail.com wrote: Am Sonntag, den 14.06.2009, 17:10 +0200 schrieb Mathieu Bridon Samba (outbound) browsing requires firewall mods So, solving this is pretty easy, even for newbies. But I agree that the error message will not help someone without advanced knowledge. Although I think people running Samba generally will know where to look for the problem. I doubt that -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Charles Butterfield wrote: ... Does it help if more people (dis)agree? I will add my voice. - I like a root login option, especially when first setting up the system, as it is helpful to do things as root. I consciously choose to use root and realize that I MYSELF could be exposing MY OWN computer to risks. I ALWAYS uncomment %wheel in sudoers and add myself to the wheel group, but just to get to do this is sometimes difficult, as it gets constantly more awkward to even have the privileges to edit sudoers (fortunately, fedora is one of the more permissive distros with regard to editing sudoers). It is ESSENTIAL that a user be able to modify system settings on his OWN computer, if he chooses to do so. I fully support your outrage. Luckily, as a kde user, kdm has not been hit my the root nazi bug, so I am not hugely affected. - Since about fedora 10, selinux is working so well that I no longer need to disable it at all, which I used to have to do. I am able to do everything I need to do without problems and I appreciate the extra security it might provide to my system, and hence, to my data and online experience. It is easy to disable, too, simply by editing grub's kernel boot line or using the gui interface. I cannot support your rage, as it IS working well and is so easily disabled. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, 14 Jun 2009, Lennart Poettering wrote: The way it is done right now, you have a system that might give too few permissions to some users. If that causes a problem, you'll notice it, and you can correct it in a very simple way (uncomment one line and add a user to a group). However, if we change the default, you have a system that may be giving too much permissions to some users depending on your taste. And the worse part is that you (as an admin) might not even know it ! Bikeshed! No. the bikeshed is about not agreeing on details and not starting work on the item. That's not the case here. Here the argument is that it *needs* to work. That said, I agree the wheel group should be enabled with sudo, though I disagree that the initial install user should be automatically added to it. But then again, I hate sudo :P I do most scripting that requires root access via root logins directly with ssh and keys. Paul -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, 2009-06-14 at 10:52 -0700, Arjan van de Ven wrote: On Sun, 14 Jun 2009 18:34:52 +0100 I think this is actually a problem that needs solving. We have several network services that are either installed by default or might be expected to be part of a standard setup, but which don't work because of the default firewall rules. The Anaconda people have (sensibly, IMHO) refused to simply add further exceptions to the firewall policy. there is an interesting issue; if you poke a hole in your firewall for all the ports that are listening automatically. you might as well not have a firewall in the first place... This is a chicken-and-egg problem. FWIW, I'd want my created normal user to be added to wheel automatically, and the useless firewall removed from the default desktop install. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, 14 Jun 2009 15:59:58 +0100 Richard Fearn richardfe...@gmail.com wrote: We have the wheel group which would fit the bill. Yeah, I always uncomment the %wheel line in sudoers and then add myself to that group. Hmmm, having looked at the Features guidelines I'm not sure if this warrants a feature page or not. It would only involve a change to the default sudoers file, and a change to firstboot to add the first user to the wheel group. Can someone from FESCo help out here? Should I make a feature page for this or not? https://fedoraproject.org/wiki/Features/Policy/Definitions I think this would fall under several of the tests for it being a feature. Note however, making a feature page does not mean that this magically gets done. It would be up your YOU (or whoever else helps you) to get the work done, coordinate with package maintainers who are affected, etc. Basically a feature page says I am going to work on getting this done, not this would be nice, someone should do it. That said, if you are willing to work on it, great. :) Thanks, Rich kevin signature.asc Description: PGP signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, Jun 14, 2009 at 1:05 PM, Paul Woutersp...@xelerance.com wrote: That said, I agree the wheel group should be enabled with sudo, though I disagree that the initial install user should be automatically added to it. Should sudo be treated in this case any differently than su? I think wheel should be either enabled by default in both or in neither. I'm happy with the status quo, in both cases the admin is required to remove one comment from the appropriate configuration file to enable it. I am strongly against the first user automatically being in the wheel group but if it were a checkbox that seems ok. Actually, I am strongly against the way Fedora forces the creation of the first user without allowing the admin to set the uid/gid of the user. That is a different annoying issue. John -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, Jun 14, 2009 at 20:08:31 +0200, Lennart Poettering mzerq...@0pointer.de wrote: enabled by default, like we currently do. If an application cannot be trusted then it should not be allowed to listen on a port by default in the first place. A firewall is an extra layer of security that simply hides the actual problem. The point of the firewall is to block connections to services that are only supposed to be connected from trusted locations. This may be things you are testing, don't intend to be running, don't bind to 127.0.0.1 instead of 0.0.0.0, even though they are intended to be accessed from the local machine, or services that you only want to accept connections from a white list of IP addresses. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, Jun 14, 2009 at 10:45:09AM -0400, Simo Sorce wrote: * Samba (outbound) browsing requires firewall mods I don't know how Samba works, so forgive me if I say obvious stupidity, but shouldn't *client* work even behind closed firewall (like with any other services like ssh, ftp, ...)? Isn't this a samba bug then? Samba as a client needs to listen for Netbios packets replies (UDP) to do browsing, so since F-10 (yes this is not something new in F-11) the firewall has strict rules and there is a samba client specific rule. ...which is broken in that it is too permissive, and in that it isn't enabled by default. We need to fix it so it only uses the conntrack module but doesn't open inbound ports, and also enable it in the default install. https://bugzilla.redhat.com/show_bug.cgi?id=469884 -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On 6/13/2009 10:19 PM, Charles Butterfield wrote: Okay, so I mostly love Fedora. However, here are 4 things that got by blood really, really boiling, so I thought I’d share my emotions. They are mostly policy issues, where I think you have gotten it very very wrong. Just installed F11 64 bit, here are the things I hate about it in the first 30 minutes (of course there are a lot of things I like too, but they work, these don't). No doubt more will crop up. * Root gdm login - gets harder every release - SHAME ON YOU root nazis! * Samba (outbound) browsing requires firewall mods * Jamming SELinux enforcing mode with no query during install And a bug: * My supported NVIDIA card (Quadro NVS 295) is not detected - okay this may not be due to overt, mulish arrogance, but I did check the supported card list and it is really annoying. The first 3 items are just freaking absurd and represent some sort of political agenda combined with astonishing arrogance. Is a graphical root login dangerous -- of course! So are a lot of things, which have obvious enable/disable controls. Was this this discussed in the release note? - NO. Should it be inhibited by an ever-increasing set of obscure work-arounds (in this case an new file to edit in F11)? Of course not. (Well as was pointed out to me in thread http://forums.fedoraforum.org/showthread.php?t=223793 this is discussed... but in non-highlighted text at the end of the boring last bullet suggesting you “save and close”). And why on earth show the stupid Windows Network if it doesn't work -- just gives an obscure error message Failed to retrieve share list from server. If you install the client, the reasonable man would open the ports, OR provide a cluefull error message. SELinux - enforcing So all the bugs are worked out? I think not. Regards -- Charlie Butterfield P.S. Here is a bit more context: Bob -- Thanks for the tip, I did NOT realize the developers didn't scan the forums. I have been using Fedora since FC2 (I think), and overall think its great, esp as a bleeding edge incubator for RHEL/CentOS. BUT there are some annoying trends occurring that finally pushed me over rant/no-rant threshold. Dan -- I like all manner of stuff, but what caused me to just wipe my CentOS 5.3 root partition and replace it with F11 was a desire to get the relatively new GNOME gvfs stuff -- so I can manipulate remote windows shares with any tool, not just GnomeVFS aware tools. On a higher level I am amazed and impressed by the creative outpouring from the various Open Source communities, although it is also a stark reminder of the fact that programmers hate, hate, hate documentation :-) This is an interesting debate that you all are having here. But has anyone, other than me that is, noticed the complete absence to the OP, Mr. Charlie Butterfield, after his original rants? Or would this be trolling? ;-) BTW. Great job on Fedora 11. -- David -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
2009/6/14 Richard Fearn richardfe...@gmail.com: # grep -n wheel /etc/sudoers 81:## Allows people in group wheel to run all commands 82:# %wheel ALL=(ALL) ALL 85:# %wheel ALL=(ALL) NOPASSWD: ALL All you have to do is uncomment one line ;) That's exactly what I do, followed by: $ usermod -a -G wheel rich But wouldn't it be nice if this line was uncommented by default, and firstboot added the first user to this group automatically? It might be nice, but unless we document that feature heavily and declare that 'first' user to be administrator with big warnings all over the place, some noob will still do something stupid. I don't mean stupid like 'i'm a noob and i don't know what i'm doing', but stupid like 'i didn't know firefox had a security vulnerability that used a hole in sudo to run stuff as root, because i was using some silly extension'. We would have to set up a user account that is a non root user with extra priveleges and constant warnings to the user that i really wonder what the advantage is to it. The best argument against all this nonsense is like this. User space programs are complex and there are many of them. Unless you have audited each bit that is going to be run as a privileged user, you should avoid runnning it as some privileged user. When you log in to a graphical desktop environment with lots of userspace programs, they should all be running on the least amount of privileges necessary and furthermore confined with SELinux where possible. Seriously, who wants to audit the entire GNOME or KDE codebase? There should never be a user that has more privileges and also running in a graphical environment. Ever. The only interesting debate i've heard is over two security models i'll call 'su' and 'sudo', for their recognized behavior. 'su' requires the root password, and 'sudo' requires your own password. Let me argue for one more model called 'sird'. 'sird' asks for a per user 'root' password. Each user has two passwords, one is an everyday password and one is for actions that require root access. Currently Fedora uses a mix of 'sudo' and 'su', and is inconsistent. Ubuntu relies only on 'sudo' for the most part, except for certain weird programs they haven't set up to do so, and then the experince is inconsistent. The security issue here though is how do we securely give 'sudo' and 'sird' like rights to users without violating the rule i stated above? With Fedora we require that you use the root password the first time. This way the user has to intelligently maintain that the specified account should be given more privileges. It's then on the user's head to violate the rule above. Ubuntu just gives sudo to the first user created, and since i haven't touched the brown since the beginning of 2007, i have no clue how much they alert the user to the possible security risks. If i can put my own 2 cents in what needs to be done here: Currently we implement this barrier to entry via the command line. Perhaps if we could leverage PolicyKit better so we can have an icon or control tool for the person who installs Fedora on the machine to use the root password to grant rights to other users. Then the administrator, aka the person responsible for instalation, could decide whether to use su, sudo, or sird style access. If you're wondering what 'sird' is, it's just an arbitrary name that sounds like third, because there would be a 'third' password. (Root = 1, User = 2, Sird = 3) -Yaakov -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Le dimanche 14 juin 2009 à 20:08 +0200, Lennart Poettering a écrit : I still think that the current firewall situation on Fedora is pretty much broken. It's a bit like SELinux: it's one of the first features most people disable. For the people I know disabling the firewall is very low under disabling SELinux and (ahem) PulseAudio. At that point iptables is fairly solid and well understood and documented. -- Nicolas Mailhot signature.asc Description: Ceci est une partie de message numériquement signée -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Michael Fleming mflem...@thatfleminggent.com writes: With the likes of sudo / ConsoleKit / console-helper et. al you should never, ever need to run an extended session as root. Your day-to-day work can be done perfectly well as a standard non-privileged user, the applications that *need* root, especially in X, are hooked into consolehelper/ConsoleKit anyway and will prompt you for the root password in any case (when run as a regular user) That doesn't mean it's more secure that directly logging as root using e.g. ssh, tty or xterm. I won't argue about X desktop. A non-privileged account ceases to be non-privileged when you use it to become root. It may save you from incidental rm -rf /, but it creates a false feeling that the non-privileged account doesn't need the same level of protection as the root account needs. From a security standpoint, it's thus usually less secure that using root directly. Obviously one shouldn't use root account for non-admin tasks, sure. But it has nothing to do with security. If one has to perform many root tasks, there is nothing wrong in doing it in an extended root session. Having to type root password many times may only create an additional opportunity for a compromise. As a systems administrator I applaud this idea, as it stops people from shooting themselves in the foot That may be true. The same can probably be said about alias rm='rm -i' and so on. This is not security, however. -- Krzysztof Halasa -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
inode0 ino...@gmail.com writes: Actually, I am strongly against the way Fedora forces the creation of the first user without allowing the admin to set the uid/gid of the user. That is a different annoying issue. Hmm... Does it? I installed F11 (i386, with netinstall) recently and it didn't create normal accounts (nor asked). -- Krzysztof Halasa -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
I didn't say the wheel group was a nonsense or a problem. I was responding to Richard who wanted the line to be uncommented (harmless per se) AND the first user to be added to the wheel group by default. I've since changed my mind :-) For example, a « add to the wheel group » checkbox in system-config-users and firstboot could be great. That's a good idea. Not sure it would be a good idea to have it checked and hidden by default. Agreed. Rich -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, Jun 14, 2009 at 05:45:43PM +1000, Michael Fleming wrote: Ich bin ein secure user and you should be too. Logging in as root into X directly (or the console for that matter) is a *bad idea*. Erm, logging as root on the console is a bad idea? _You've_ obviously not got any machines running NIS or NFS-mounted /home :-) Rich. -- Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://et.redhat.com/~rjones/virt-top -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Who says the first created user is root-equivalent? It wouldn't be root-equivalent. You have to explicitly use sudo, and enter your password when you do use it. It's not the same as a root prompt. In any case, I like Mathieu Bridon's idea of having a firstboot option. Rich -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Dnia 2009-06-14, o godz. 22:12:47 Krzysztof Halasa k...@pm.waw.pl napisał(a): a false feeling that the non-privileged account doesn't need the same level of protection as the root account needs. The feeling isn't false - overtaking a root-run program is potentially more harmful to the system, other users and everyone in sight (root can harm the network, for example). Hence the root account does need more protection. I think you wanted to refer to false sense of safety that someone could derive from running unprivileged. This is a danger much less than giving any OS to any normal (non-technical) user. You need to educate users about all the risks that are left and NOT give them deadly weapons which they don't know how to use and presume they'll going to be scared of them for the rest of their lives (they're not). Lam signature.asc Description: PGP signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
Richard Fearn richardfe...@gmail.com writes: Who says the first created user is root-equivalent? It wouldn't be root-equivalent. You have to explicitly use sudo, and enter your password when you do use it. It's not the same as a root prompt. It is from a security person POV. If an attacker compromises your non-root account, and if you use sudo or whatever to switch to root then root as compromised as well, password or no password. You have to use a secure terminal and a secure path to the root session to be really secure. -- Krzysztof Halasa -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, Jun 14, 2009 at 6:45 AM, Simo Sorcesso...@redhat.com wrote: I haven't done a graphical root login in the past 10 years probably and on multiple distribution. Graphical root login is meaningless. Let me ask you a question as an example to better define the expectation on behavior that people have on what it means to administer a computer system. Can you run the thread audience through the steps on how you personally go about changing permissions on a root owned file or directory on a Fedora install to give write access to an admin user.. using nothing but graphical tools as installed by default in the Fedora Desktop? I honestly don't know how to do it. And I wouldn't think to do it that way. I'll reach for the commandline somewhere in the process whether it be to configure sudo or just doing the chmod under su. Nautilus exposes permissions for root owned files but I don't see an obvious hook that allows me to use existing authorization infrastructure to gain access to change those permissions as an admin user under nautilus. But for someone else...someone new who didn't waste time learning how to banner attack their classmates logged into the school's Vax system via a serial connection, someone who is installing a linux system for personal use and learning how to interact with that system and is basically their own admin...,they may instinctively reach for a graphical way to do stuff like file permissions manipulations. root login may realistically be the simplest way they know to gain access to graphical tools to perform simple operations that the user desktop does not allow. Its great that sudo exists and can be configured but how do you discover that tool as a new user doing a self-administered install? Nautilus is the obvious, intuitive for file management tasks, and if the only graphical way to get to a version of nautilus that can manipulate system files is to login as root..then it sort of makes sense that inexperienced users will attempt to do that..because its the logic of behavior the that graphical tool UI suggests. If there is an expectation that users can work with the graphical tools to do simple administrative tasks, I'm not sure enough thought has been put into how to self-consistently expose that functionality. -jef . -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, 14 Jun 2009, Lennart Poettering wrote: much broken. It's a bit like SELinux: it's one of the first features most people disable. False. Most people leave SELinux enabled, according to the smolt stats which have been collecting since the F8 era. Fedora is the only big distro that enables a firewall by default and thus creates a lot of trouble for many users. I think I mentioned that before, and I can only repeat it here: we should not ship a firewall enabled by default, like we currently do. If an application cannot be trusted then it should not be allowed to listen on a port by default in the first place. A firewall is an extra layer of security that simply hides the actual problem. The problem is that you never really know how trustworthy an application is. All software has bugs, and some of those will be exploitable. A significant purpose of firewalling and tighter security policy (e.g. SELinux MAC) is to help reduce the impact of bugs (and misconfiguration) when they occur. - James -- James Morris jmor...@namei.org -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Mon, 15.06.09 09:15, James Morris (jmor...@namei.org) wrote: On Sun, 14 Jun 2009, Lennart Poettering wrote: much broken. It's a bit like SELinux: it's one of the first features most people disable. False. Most people leave SELinux enabled, according to the smolt stats which have been collecting since the F8 era. Are you speaking of the same smolt that lists es1371 as most popular sound card? i.e. a sound card that has been out of production since about 10 years now? Somehow I have serious doubts about the validity of the smolt data. Also, isn't the smolt data generated as part of the installation process, i.e. at a time where people haven't yet had the time to disable SELinux? Anyway, please don't think I was anti-SELinux, I am not. Just wanted to state what I observed. Lennart -- Lennart PoetteringRed Hat, Inc. lennart [at] poettering [dot] net http://0pointer.net/lennart/ GnuPG 0x1A015CC4 -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Mon, 15 Jun 2009, Lennart Poettering wrote: Are you speaking of the same smolt that lists es1371 as most popular sound card? i.e. a sound card that has been out of production since about 10 years now? Somehow I have serious doubts about the validity of the smolt data. I've previously asked for specific sql queries to be run on the data (e.g. correlated with specific Fedora versions) and it seems the data for SELinux at least is reasonably accurate. The actual figure shown on the site is likely to be much lower than the real number of SELinux enabled systems, as it aggregates data from systems where no SELinux stats were being collected, and now from distros with no real SELinux support. Also, isn't the smolt data generated as part of the installation process, i.e. at a time where people haven't yet had the time to disable SELinux? Yes, that's a consideration -- those systems report back each month, so when there's a new release, the figures spike, and then drop off over time. They're still showing a signifcant majority of people leaving SELinux enabled. There's also the question of whether people who are not saying 'yes' to smolt reporting are likely to enable or disable SELinux. It could go either way. Anyway, please don't think I was anti-SELinux, I am not. Just wanted to state what I observed. Keep in mind that what you observe as a highly technical distro developer may be radically different to what happens elsewhere. - James -- James Morris jmor...@namei.org -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, Jun 14, 2009 at 3:36 PM, Lennart Poetteringmzerq...@0pointer.de wrote: Are you speaking of the same smolt that lists es1371 as most popular sound card? i.e. a sound card that has been out of production since about 10 years now? Somehow I have serious doubts about the validity of the smolt data. You might have found a bug in the tallying there in how cards are self-identifying product strings. You'll notice the same exact entry is listed twice in the Audio device table. Are cards using the ENS1371 driver misreporting their vendor/card version info? There are only 5 listings in the table for the ENS1371 driver. There are dozens listed for the Intel ICH driver. I bet if you totalled up counts by driver, things would look more sensible to you with intel being a reasonably large percentage of the drivers in use. Also, isn't the smolt data generated as part of the installation process, i.e. at a time where people haven't yet had the time to disable SELinux? smolt updates the info associated with a UUID via its service and cronjob configuration on a roughly monthly basis, unless someone disables the smolt service. -jef -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
That said, I agree the wheel group should be enabled with sudo, though I disagree that the initial install user should be automatically added to it. But then again, I hate sudo :P I do most scripting that requires root access via root logins directly with ssh and keys. i completely agree and do mostly the same; it would be a good idea (or at least, imho better than an option to add the user to wheel group) to have a generate dsa keypair and add to root authorized_keys checkbox during firstboot user creation. Then just ssh -X for your daily needed root tasks guido -- Guido Grazioli guido.grazi...@gmail.com Via Parri 11 48011 - Alfonsine (RA) Mobile: +39 347 1017202 (10-18) Key FP = 7040 F398 0DED A737 7337 DAE1 12DC A698 5E81 2278 Linked in: http://www.linkedin.com/in/guidograzioli -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, 14.06.09 16:11, Jeff Spaleta (jspal...@gmail.com) wrote: On Sun, Jun 14, 2009 at 3:36 PM, Lennart Poetteringmzerq...@0pointer.de wrote: Are you speaking of the same smolt that lists es1371 as most popular sound card? i.e. a sound card that has been out of production since about 10 years now? Somehow I have serious doubts about the validity of the smolt data. You might have found a bug in the tallying there in how cards are self-identifying product strings. ci devices identify them via numeric ids only, the strings come from the hwdata databases. You'll notice the same exact entry is listed twice in the Audio device table. Are cards using the ENS1371 driver misreporting their vendor/card version info? There are only 5 listings in the table for the ENS1371 driver. There are dozens listed for the Intel ICH driver. I bet if you totalled up counts by driver, things would look more sensible to you with intel being a reasonably large percentage of the drivers in use. It's not just that ens1371 is shown as unrealistically popular, it's also that it doesn't know a single HDA device. I mean, seriously... what will smolt claim next? that santa claus exists? To me it appears that the data shown on this smolt web thingy originates from /dev/random. Unrelated to this, it's fun to see what happens when one accesses http://smolt.fedoraproject.org/static/stats or a similar URL... ;-) Lennart -- Lennart PoetteringRed Hat, Inc. lennart [at] poettering [dot] net http://0pointer.net/lennart/ GnuPG 0x1A015CC4 -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, 2009-06-14 at 15:11 -0400, Chuck Anderson wrote: On Sun, Jun 14, 2009 at 10:45:09AM -0400, Simo Sorce wrote: * Samba (outbound) browsing requires firewall mods I don't know how Samba works, so forgive me if I say obvious stupidity, but shouldn't *client* work even behind closed firewall (like with any other services like ssh, ftp, ...)? Isn't this a samba bug then? Samba as a client needs to listen for Netbios packets replies (UDP) to do browsing, so since F-10 (yes this is not something new in F-11) the firewall has strict rules and there is a samba client specific rule. ...which is broken in that it is too permissive, and in that it isn't enabled by default. We need to fix it so it only uses the conntrack module but doesn't open inbound ports, and also enable it in the default install. Conntrack is useless you need to listen to unsolicited traffic. Also some old MS Oss always reply to port 137 even if the client source port is higher, conntrack would fail here too. https://bugzilla.redhat.com/show_bug.cgi?id=469884 If it were for me I'd close this as NOTABUG/INVALID/WONTFIX. Simo. -- Simo Sorce * Red Hat, Inc * New York -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, 2009-06-14 at 14:23 -0800, Jeff Spaleta wrote: On Sun, Jun 14, 2009 at 6:45 AM, Simo Sorcesso...@redhat.com wrote: I haven't done a graphical root login in the past 10 years probably and on multiple distribution. Graphical root login is meaningless. Let me ask you a question as an example to better define the expectation on behavior that people have on what it means to administer a computer system. Can you run the thread audience through the steps on how you personally go about changing permissions on a root owned file or directory on a Fedora install to give write access to an admin user.. using nothing but graphical tools as installed by default in the Fedora Desktop? I honestly don't know how to do it. And I wouldn't think to do it that way. I'll reach for the commandline somewhere in the process whether it be to configure sudo or just doing the chmod under su. Nautilus exposes permissions for root owned files but I don't see an obvious hook that allows me to use existing authorization infrastructure to gain access to change those permissions as an admin user under nautilus. But for someone else...someone new who didn't waste time learning how to banner attack their classmates logged into the school's Vax system via a serial connection, someone who is installing a linux system for personal use and learning how to interact with that system and is basically their own admin...,they may instinctively reach for a graphical way to do stuff like file permissions manipulations. root login may realistically be the simplest way they know to gain access to graphical tools to perform simple operations that the user desktop does not allow. Its great that sudo exists and can be configured but how do you discover that tool as a new user doing a self-administered install? Nautilus is the obvious, intuitive for file management tasks, and if the only graphical way to get to a version of nautilus that can manipulate system files is to login as root..then it sort of makes sense that inexperienced users will attempt to do that..because its the logic of behavior the that graphical tool UI suggests. If there is an expectation that users can work with the graphical tools to do simple administrative tasks, I'm not sure enough thought has been put into how to self-consistently expose that functionality. You certainly have a point here Jeff. Simo. -- Simo Sorce * Red Hat, Inc * New York -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Mon, 15 Jun 2009, Lennart Poettering wrote: On Mon, 15.06.09 09:15, James Morris (jmor...@namei.org) wrote: On Sun, 14 Jun 2009, Lennart Poettering wrote: much broken. It's a bit like SELinux: it's one of the first features most people disable. False. Most people leave SELinux enabled, according to the smolt stats which have been collecting since the F8 era. Are you speaking of the same smolt that lists es1371 as most popular sound card? i.e. a sound card that has been out of production since about 10 years now? Somehow I have serious doubts about the validity of the smolt data. Based on actual data research or your gut? Also, isn't the smolt data generated as part of the installation process, i.e. at a time where people haven't yet had the time to disable SELinux? It updates monthly if you chose to send it in at install time. -Mike -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On Sun, 14 Jun 2009, Mike McGrath wrote: On Mon, 15 Jun 2009, Lennart Poettering wrote: On Mon, 15.06.09 09:15, James Morris (jmor...@namei.org) wrote: On Sun, 14 Jun 2009, Lennart Poettering wrote: much broken. It's a bit like SELinux: it's one of the first features most people disable. False. Most people leave SELinux enabled, according to the smolt stats which have been collecting since the F8 era. Are you speaking of the same smolt that lists es1371 as most popular sound card? i.e. a sound card that has been out of production since about 10 years now? Somehow I have serious doubts about the validity of the smolt data. Based on actual data research or your gut? Sidenote on this specific device, seems vmware emulates it so we should probably continue to support it :) -Mike -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: What I HATE about F11
On 6/14/09, Charles Butterfield charles.butterfi...@nextcentury.com wrote: [...] Root gdm login - gets harder every release - SHAME ON YOU root nazis! Interesting. Godwin's law right from the start of a thread? I must buy a lottery ticket today. http://en.wikipedia.org/wiki/Godwin%27s_law Christian -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list