[gentoo-user] Re: xfce woes
On 02/02/2011 09:15 PM, Alan McKinnon wrote: Apparently, though unproven, at 00:00 on Thursday 03 February 2011, walt did opine thusly: As much as I like the convenience of automounting as a luser, all of my bofh instincts cry out that lusers shouldn't be allowed to mount a filesystem! This is one of those Windows/convenience versus unix/security things, I think, but I'm just an amateur bofh. What do you professional bofhs think? Depends on what the machine is used for. For a multiuser box, you probably want user to not shutdown/reboot, Yes, even I thought of that. As an amateur, though, I have no idea how many multi-user machines still exist. When I was a lad, the campus computer(s) still ran batch jobs submitted on punch cards. We had to wait for hours or even the next day to discover a stupid typo. Actually, the profs didn't use punchcards, just us peons. The profs had dumb terminals so they could log in to the central server -- and sit for as long as five minutes to discover if the server had crashed, or was just busy serving the needs of the department chairman's secretary. Over the years, the frustrations have merely morphed, not vanished :( be able to mount removeable media... That was really what I was asking. I hear horror stories about employees plugging usb thumb drives into corporate workstations to steal files, or maybe infecting the whole network with malware from a lost thumb drive found at a bus stop or a car park.
Re: [gentoo-user] Re: xfce woes
Apparently, though unproven, at 00:15 on Friday 04 February 2011, walt did opine thusly: On 02/02/2011 09:15 PM, Alan McKinnon wrote: Apparently, though unproven, at 00:00 on Thursday 03 February 2011, walt did opine thusly: As much as I like the convenience of automounting as a luser, all of my bofh instincts cry out that lusers shouldn't be allowed to mount a filesystem! This is one of those Windows/convenience versus unix/security things, I think, but I'm just an amateur bofh. What do you professional bofhs think? Depends on what the machine is used for. For a multiuser box, you probably want user to not shutdown/reboot, Yes, even I thought of that. As an amateur, though, I have no idea how many multi-user machines still exist. I have more than 120 of them When I was a lad, the campus computer(s) still ran batch jobs submitted on punch cards. We had to wait for hours or even the next day to discover a stupid typo. Punch cards??? Piffle. We used *paper tape* :-) Actually, the profs didn't use punchcards, just us peons. The profs had dumb terminals so they could log in to the central server -- and sit for as long as five minutes to discover if the server had crashed, or was just busy serving the needs of the department chairman's secretary. Over the years, the frustrations have merely morphed, not vanished :( be able to mount removeable media... That was really what I was asking. I hear horror stories about employees plugging usb thumb drives into corporate workstations to steal files, or maybe infecting the whole network with malware from a lost thumb drive found at a bus stop or a car park. Here's a funny story. It's true, and it's sad, but also macabrely funny. A penetration testing firm that I know well was commissioned to test the external security of a certain enterprise that was obliged to comply with stiff legal requirements. This firm does our pentesting too, and they are pretty thorough. If you ask them to throw the book at something for testing, and pay them enough, they will gladly oblige, and not care too much if this embarrasses you Try as they might, they could not get past this enterprise's border firewalls. Nothing showed up as a weakness. They tried and tried and tried and tried Until one day one of their bright spark techies had a brilliant idea. They hired a bunch of pretty girls wearing tight skimpy New! Improved! Check Our Promotion! outfits to stand outside the front door handing out free complimentary CDs. Yes, you guessed it. Within the hour the perimeter firewalls had more holes than a Swiss cheese. Somebody paid dearly for that. -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Re: xfce woes
Until one day one of their bright spark techies had a brilliant idea. They hired a bunch of pretty girls wearing tight skimpy New! Improved! Check Our Promotion! outfits to stand outside the front door handing out free complimentary CDs. Yes, you guessed it. Within the hour the perimeter firewalls had more holes than a Swiss cheese. Somebody paid dearly for that. That's not new. A similar one i heard of was to leave some USB drives on the ground in the carpark... or you could use spear phishing emails
[gentoo-user] Re: xfce woes
On 02/02/2011 11:23 AM, John wrote: I have recently upgraded to xfce 4.8 All seems to be well apart from a) Normal Users cannot shutdown b) Normal Users cannot automount using xfce (can through sudo mount). I understand very well your frustration because my gnome desktop goes through periods where those things work, and then for some time they don't work, etc, ad infinitum. As much as I like the convenience of automounting as a luser, all of my bofh instincts cry out that lusers shouldn't even be allowed to log into my system, much less actually mount(!?!) a filesystem! This is one of those Windows/convenience versus unix/security things, I think, but I'm just an amateur bofh. What do you professional bofhs think?
Re: [gentoo-user] Re: xfce woes
Apparently, though unproven, at 00:00 on Thursday 03 February 2011, walt did opine thusly: On 02/02/2011 11:23 AM, John wrote: I have recently upgraded to xfce 4.8 All seems to be well apart from a) Normal Users cannot shutdown b) Normal Users cannot automount using xfce (can through sudo mount). I understand very well your frustration because my gnome desktop goes through periods where those things work, and then for some time they don't work, etc, ad infinitum. As much as I like the convenience of automounting as a luser, all of my bofh instincts cry out that lusers shouldn't even be allowed to log into my system, much less actually mount(!?!) a filesystem! This is one of those Windows/convenience versus unix/security things, I think, but I'm just an amateur bofh. What do you professional bofhs think? Depends on what the machine is used for. For a multiuser box, you probably want user to not shutdown/reboot, be able to mount removeable media and nfs shares, not mount fixed disks. For a terminal server serving thin clients, you likely want users to not be able to do any of that on the server. For a single user workstation, the sole user should be able to do all of it. Perhaps yourself and the maintainer writing the template config disagree on the basic purpose of the machine in question. -- alan dot mckinnon at gmail dot com
