On Thursday 21 April 2005 12:36 am, Tracy R Reed wrote: > What flaw? He said there was no problem with running as root. Not that > there was a bug somewhere in design or implementation. And before anyone > implies that I am saying Linux is perfect it clearly isn't. But we > haven't been talking about a flaw here, just whether it is safer to run > as root or a normal user. You think if we somehow did make some change > that made it safer to run as a normal uid and not root he would change > linspire? Doubtful.
I think we need to take a different perspective. I think Robertson is trying to make Linux as usable from a WalMart Shopper persective as Windows 98. You want to do something, so you do it, and it "works." That's apparently all people want, and it's an admirable goal. We've already had lengthy discussions about "security at the perimeter" vs. "security in depth", but let me try to add some more pennies to the pile already here. As someone who just wants to get shit done, I want the computer and the software on it to stay out of my way and just let me work. As someone who values good computing and network behavior, and responsible network presence, the idea that there would be no safeguards to prevent me from accidentally letting some malicious software take hold and use my computer for Evil(tm) scares the bejeezus out of me. Robertson, I think, is aiming squarely at the "we just want to get shit done" group of people who buy computers, and counting squarely on the fact that "Linux is secure." This, I think, allows him to ignore the fact that no system is truely secure, and therefor believe that running as root has no security implications. Nevermind that most of the examples he gave (changing my desktop background) or even ones I can think of (plugging in a camera) require root access, especially as of FC1, where it all Just Worked, and the only times I needed to type in the root password[1] were when I was reconfiguring something like the network settings or installing some new system software (or running up2date). By and large, with a frighteningly default Fedora Core install, I can get most of my "work" and general computer usage done without having to bother at all with passwords or root permissions on my desktop. Honestly, I'm beginning to think that Robertson's claim that it's simpler to operate as root than a "normal" user is more of a red herring because he doesn't want to (a) rethink how to ask for admin access from the user (see [1]) and (b) simply might not care. Really, he doesn't even want to _have_ to bother with asking the end user for admin access to do adminny things, so that there's one less support call to take. And now I think I'm thought out about Robertson's failures, and Linux's security problems. :) Gregory [1] I really like Mac OS X's way of doing things better. You're automatically added to /etc/sudoers if you're an "admin" account, and anything that requires "root" permissions simply asks you for _your_ password instead of the _root_ password. This lets you (a) only have to remember a single password (yours), and (b) not worry about root being an accessible account, because there's no password set for it, which means you can't log in as root. -- Gregory K. Ruiz-Ade <[EMAIL PROTECTED]> OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
pgpKjDjj0m2cO.pgp
Description: PGP signature
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
