begin quoting Neil Schneider as of Tue, Apr 19, 2005 at 11:37:20AM -0700: > Stewart Stremler said: > > What, the user has thrown the machine away? > > > > Security is a tradeoff. > > And users aren't interested in security at all, because it always > interferes with getting what they want to do. So the argument is moot.
But Tracy's arguing that they ARE interested in security. > Give them no security and they will be happy. Their data will be > compromised or lost, but they will be able to do anything they want. The optimal point isn't necessarily 0 security, 1 usability. It's a tradeoff, and we might be able to get .99 usability and .5 security, if it's done right. But going for .5 security, .4 usability isn't going to make the average user happy. > > The security that comes from a root/non-root distinction on a > > single-user machine is arguably not worth the tradeoff. At least, > > not at this time. > > From the user's point of view, no security is worth the tradeoff, so > arguing about it is useless. So you're in Michael's camp? > > We should strive to be good, safe, secure, and usable, not "better > > than them". It's a worthy goal in and of itself. > > I notice a trend here. You attack others defense of not running as > root, No, I'm attacking the poor arguments. If I have attacked others, I apologize -- and point it out, please. Piss-poor arguments for "our" side do more harm than good. If they aren't real, solid, believable, defensible arguments, they shouldn't be proposed -- else we're going to sound as stupid as those idiots on /. who are busying writing "Oooh, he's so stupid!" > however I've not seen you make any serious suggestions about a > better alternative. Better than what? I've made plenty of serious suggestions. They aren't generally implemented, but that's hardly my fault. > You disparage se-linux, because you think it's too > difficult to set up an use, ...for the average non-geek owner of a single-user box. SELinux is _not_ a panacea. And should we GET SELinux to the point where the average non-geek owner of a single-user machine can set up and manage it to make a secure machine, then the root/non-root distinction *again* rises up, as the root/non-root distinction is now redundant and functionally useless. > but again, you don't propose an > alternative. Are you just being argumentative, or do you have some > constructive contribution to make? Lessee... sandboxes, VMS-style filesystems, user-training, not allowing programs to check for uid 0 (probably can be done with fakeroot), per package user accounts, and partition restrictions. I consider the beating up developers who demand root access for their software as only sort-of constructive. Seems like I've provided the _most_ constructive feedback of *anyone* in this conversation. There's a little devil's advocacy involved, yes, because too many of the arguments for root/non-root distinctions are so poor. I personally believe in the root/non-root distinction, but I want defensible arguments. I've seen ONE where the distinction made for an important difference thus far. I want more. You don't get sharp arguments by cheering. You get 'em by applying the whetstone of logic and contrarianess. > > No trojans downloaded by a user-process can run. If I compromise your > > system, I can't drop in my own shell-cum-keylogger into $HOME and exec > > that when you log in. I can't download my own program to your machine > > to start consuming your CPU cycles, or to get you to be a DDOS zombie, > > etc. -- the most I can do (maybe) is to exploit a _running_ process, > > which is cleaned up at the next reboot. > > > > It apparently breaks X, however.... :( > > And is therefore more impractical than using se-linux. It reflects the fact that something is broken in X. Why would anything in /home need to be executable for non-developers? If you enforce that policy with SELinux, does X still work? -Stewart "Linux users seem generally pretty lax about real security" Stremler
pgpF3Kf366cz4.pgp
Description: PGP signature
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
