Stewart Stremler said:
> begin quoting Neil Schneider as of Tue, Apr 19, 2005 at 11:37:20AM
> -0700:
>> Stewart Stremler said:
>> > What, the user has thrown the machine away?
>> >
>> > Security is a tradeoff.
>>
>> And users aren't interested in security at all, because it always
>> interferes with getting what they want to do. So the argument is
>> moot.
>
> But Tracy's arguing that they ARE interested in security.
I think he's arguing that security is a "Good Thing (tm)".
>> Give them no security and they will be happy. Their data will be
>> compromised or lost, but they will be able to do anything they want.
>
> The optimal point isn't necessarily 0 security, 1 usability. It's a
> tradeoff, and we might be able to get .99 usability and .5 security,
> if it's done right. But going for .5 security, .4 usability isn't
> going to make the average user happy.
>
>> > The security that comes from a root/non-root distinction on a
>> > single-user machine is arguably not worth the tradeoff. At least,
>> > not at this time.
>>
>> From the user's point of view, no security is worth the tradeoff, so
>> arguing about it is useless.
>
> So you're in Michael's camp?
I'm not in any camp that Michael's in. I personally think he's the
equivelent of a used-car salesman, in other word, he's a slimeball.
However, user's don't care a thing about security, until it
compromises their data. They prefer closing the barn door after the
horses are all gone. Michael's cavalier attitude only enforces this.
No need to worry about security now, I'll wait until I lose all my
data, then blame someone else. Michael said it was fine to run as
root, so it's his fault!
>> > We should strive to be good, safe, secure, and usable, not "better
>> > than them". It's a worthy goal in and of itself.
>>
>> I notice a trend here. You attack others defense of not running as
>> root,
>
> No, I'm attacking the poor arguments. If I have attacked others, I
> apologize -- and point it out, please.
>
> Piss-poor arguments for "our" side do more harm than good. If they
> aren't real, solid, believable, defensible arguments, they shouldn't
> be proposed -- else we're going to sound as stupid as those idiots on
> /. who are busying writing "Oooh, he's so stupid!"
>
>> however I've not seen you make any serious suggestions about a
>> better alternative.
>
> Better than what?
Better than not running as root. Run your system as root, use gaim or
IRC or any similar program, let's see how long before your system and
your data are both compromised. Most IRC networks will probaby kick
you off. But some script kitty on AIM will own you before long. If
Michael came to a KPLUG meeting, hooked his computer to the network,
and ran as root, my guess is that his system would be owned before his
two hour presentation was up. It would serve him right, if someone in
the group simply removed all his files and crashed the system. It
nearly happened to the Corel rep in a similar situation.
> I've made plenty of serious suggestions. They aren't generally
> implemented,
> but that's hardly my fault.
>
>> You disparage se-linux, because you think it's
>> too
>> difficult to set up an use,
>
> ...for the average non-geek owner of a single-user box.
>
> SELinux is _not_ a panacea.
There are no panaceas except in some people's minds. Saying something
is not one, is not an argument. Running as root is less safe than
running as a user. Saying there is no difference is irresponsible, at
best.
> And should we GET SELinux to the point where the average non-geek
> owner of a single-user machine can set up and manage it to make a
> secure machine, then the root/non-root distinction *again* rises up,
> as the root/non-root distinction is now redundant and functionally
> useless.
As has been reported, it already works that way on FC3, except for
special roles for root. But then that mostly covers services, and your
presumption is that this machine doesn't do services. Does
Lindows/Linspire do services?
>> but again, you don't propose an
>> alternative. Are you just being argumentative, or do you have some
>> constructive contribution to make?
>
> Lessee... sandboxes, VMS-style filesystems, user-training, not
> allowing
> programs to check for uid 0 (probably can be done with fakeroot), per
> package user accounts, and partition restrictions. I consider the
> beating up developers who demand root access for their software as
> only
> sort-of constructive.
Michael is doing user training. He's training users to ignore best
practices and run as root. You seem to think that's ok. VMS
filesystems are not Linux, have you worked on porting them over, or
are you just a cheerleader on the sidelines? Per package user accounts
for servers, are pretty standard on most Linux systems these days, I
believe. If you're running as root, why do you care about developers
demanding root access, you already accomodated them.
> Seems like I've provided the _most_ constructive feedback of *anyone*
> in this conversation.
>
> There's a little devil's advocacy involved, yes, because too many of
> the arguments for root/non-root distinctions are so poor. I
> personally
> believe in the root/non-root distinction, but I want defensible
> arguments.
So what are your defensible arguments?
> I've seen ONE where the distinction made for an important difference
> thus far. I want more.
So provide some.
> You don't get sharp arguments by cheering. You get 'em by applying
> the whetstone of logic and contrarianess.
Sometimes it's just annoying.
>> > No trojans downloaded by a user-process can run. If I compromise
>> your
>> > system, I can't drop in my own shell-cum-keylogger into $HOME and
>> exec
>> > that when you log in. I can't download my own program to your
>> machine
>> > to start consuming your CPU cycles, or to get you to be a DDOS
>> zombie,
>> > etc. -- the most I can do (maybe) is to exploit a _running_
>> process,
>> > which is cleaned up at the next reboot.
>> >
>> > It apparently breaks X, however.... :(
>>
>> And is therefore more impractical than using se-linux.
>
> It reflects the fact that something is broken in X.
Does it? Or does it reflect that your assumptions are wrong?
> Why would anything in /home need to be executable for non-developers?
>
> If you enforce that policy with SELinux, does X still work?
You can't have it both ways. You want packages to install in your home
directory, so you don't have to be root to install them, but you want
to mount /home noexec. They are mutually exclusive, are they not?
--
Neil Schneider pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D
Sometimes I wonder whether the world is being run by smart people who
are putting us on, or by imbeciles who really mean it - Mark Twain
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
