Firstly, sorry for the blank reply. Accidentally double clicked and "send" is in the same spot. :P
On Sat, Jun 14, 2008 at 4:25 AM, arne anka <[EMAIL PROTECTED]> wrote: > only opkg is run, not everything possible. > logging in as root opens a world of ways to harm your data, either by > accident or deliberately. > expoliting suid requires a bug in the program suid'd. I understand how and why permission seperations exist. :) What I'm saying is that if we sit back and evaluate how this device is going to be used in the vast majority of cases, you'll realize that unlike a desktop or server system, the data that a non-root user can delete is as bad, or perhaps even WORSE than destroying the system integrity itself. I'm not saying "we should abandon security" as a concern. But realistically speaking, a mobile device DOES have different concerns than a desktop or a server. Focusing on "system internals" on Openmoko while ignoring the fact that remote users can destroy vital, NON root, important data is just busy work. >> User "John" running sudo rm -rf /* is better than root running "rm -rf >> /*" because...? > > see above. > you can configure which commands/programs may be run with sudo. I understand this. Take a step back for a second and really evaluate the device's marketed purpose though. The point of sudo and the like are to ensure that a non-root user can't hose the system, right? A non-root user might need to be able to install a printer so you can give that user access to CUPS commands. In the traditional UNIX file system, having /usr destroyed is signifigantly bigger of an issue than having /tmp destroyed in most cases. In a network environment, you defend the "important" stuff dearly, and accept a certain level of risk with every little blurb you give to a non-root user. In the mobile world, there is NOTHING more important than the user's data. Nothing. And in the mobile world, you can impliment root priv seperations till the cows come home, but it doesn't eliminate the fact that the most vulnerable part of the system is being put at risk still. Please understand I'm not saying "Ignore security", I'm a big fan of security. :) I'm simply trying to look at this in a way that's suited to the use cases rather than "tradition". >> If you want security, unprivaledges users must NOT >> EVER be able to run privaledged commands. > > see above. Perhaps I needed to make this distinction. When I said "a user" in this case, I don't mean "a line in /etc/passwd" but a flesh and blood person. You running sudo some-command is "a user running a privaledged command". Sudo is a way to allow users to have SOME of the powers of root, while limiting them from using others. If UNIX user john has sudo permissions to remove packages, and that UNIX account is comprimised, it is AS bad as of root itself had a shell on the box - the intruder on the system can hose it. > i am not sure i understand you correctly, but for me it sounds like you > saying user/group separation is meaningfull for servers only (and only > because physical access can be prevented), for end user computers, laptops > specifically, it is a waste. > if so, you are pretty much alone with this understanding. I'm not saying that at all. I'm quite happy that I can log in a "kevin" and not "root" on my desktop system. I AM saying, however, that on a mobile device the value of each chunk of the filesystem is different than on a desktop workstation, a laptop and CERTAINLY a server. And taking into account traditional things because they're traditional isn't always the most suited solution to the environment. > > what bothers me: as far as i understand the vast majority of applications > is ported from existing linux distributions or just recompiled -- so, why > would one disable the user/group principle the apps obey on their native > platform? Because the system they obey is designed for an environment where protection of the system is more important than protection of non-root data. > ubuntu for one works rather well with that wheel/sudo way and even on > non-ubuntu systems users are able "to run a lot of root applications such > as rdate, power off, opkg, etc." w/o beeing root all the time. If you check the Ubuntu mailing lists back to the days of Warty you'll see that there were people objecting to the use of sudo for the same reason that people are calling for root/user split. Allowing a comprimised non-root user to have access to system internals was heresy! Objectivly speaking, no system on a public network is "secure" - security is simply the amount of risk you're willing to take for the sake of access. Ubuntu chose to open up the sudo risk (and as I said, even though it's "common", it's a procedure that still spark controversy) because, in the end, it was deemed that that amount of risk had acceptable gains. The reason that those gains were acceptable on a desktop and not a server is the same arguement I'm making here - the use case puts user data (which is still at risk when controlled by a non-root user account) closer to "the most important thing". > > _______________________________________________ > Openmoko community mailing list > [email protected] > http://lists.openmoko.org/mailman/listinfo/community > _______________________________________________ Openmoko community mailing list [email protected] http://lists.openmoko.org/mailman/listinfo/community
