On Sun, Oct 30, 2005 at 10:00:31PM +0000, Neal H. Walfield wrote: > > Session details should be editable remotely when you autharize yourself (for > > example with an ssh key). Because of this, su from anything except root is > > easily implemented (because authorization is performed). But su from root > > (without a password) is only possible if the user allowed it, and it isn't > > if > > the user didn't allow it. > > I don't think so. Why doesn't the system administrator control the > session manager? Why can't the system administrator decide which > session manager to install (e.g. the one with the method which given a > username and a particular capability returns the session capability of > the specificed user)?
Of course the administrator can choose a session manager which doesn't allow this. But if the session manager wants this kind of power, he probably doesn't want a capability system in the first place, because it limits his powers in more ways. What we have to do is convince administrators that not having this power is a good idea. That may not be an easy task. But I'd wait with it until we have a working system. :-) What I claim is not that the administrator (the person) doesn't have this power. Of course he does, since he can install the OS (and in case of GNU, adapt it to his liking). I'm claiming that it is a good idea if the administrator will choose not to give the root user this power, and that when he chooses this, the system will be more secure. > I'd be interesting in understanding how one could build a system in > which system administrators can't install their own session managers. > Moreover how do users verify that the system administrator doesn't > have this capability? (I think this is basically the secure booting > problem.) It's more than that, it's a social problem. It's the same problem you have when playing a network game: all players have to trust the server that it's not cheating in favor of one of the players (usually the one hosting the server). If you socially don't trust someone, then you shouldn't put any private data on his computer. No software can change that, because the owner can simply install spying software and claim to have installed a secure version. The situation I was assuming is that the user trusts the administrator to do what he says, and that the administrator agrees that not having the power to spy on users without their consent is a good idea. Both of these assumptions may not be true in many situations. The second one is something we should change (by explaining why it is a good idea), the first one is something we have nothing to do with. Thanks, Bas -- I encourage people to send encrypted e-mail (see http://www.gnupg.org). If you have problems reading my e-mail, use a better reader. Please send the central message of e-mails as plain text in the message body, not as HTML and definitely not as MS Word. Please do not use the MS Word format for attachments either. For more information, see http://129.125.47.90/e-mail.html
signature.asc
Description: Digital signature
_______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
