Re: More desktop security thoughts (was Re: GNOME privilege library)

From: Sean Middleditch <elanthis awesomeplay com>
To: desktop-devel-list gnome org
Subject: Re: More desktop security thoughts (was Re: GNOME privilege library)
Date: Thu, 13 Jan 2005 16:13:52 -0500

On Thu, 2005-01-13 at 20:23 +0000, Mike Hearn wrote:

> The root/user distinction is totally useless for home users, in fact it
> shouldn't even exist as there are limits to how much you can wallpaper
> over it. In home setups the users shouldn't ever be prompted for a

You don't have children, do you?  ;-)

I don't like root itself - it's way too black and white, "unprivileged"
and "all privileges."  Separating users and giving them different access
levels is a must.  Simply making it a "user can do X or can't do X"
isn't enough, either.  Even with a fast user switching system, if I had
to log into a whole different account on, say, my thirteen-year-old
sister's computer in order to make some small change that's necessary,
versus just entering an an admin password, I'd be rather perturbed.

There is no ideal security.  In some places I don't want separate users,
in some places I want to have a super-user, in some places I want a
password for each distinct task, in some places I want to assign
privileges to accounts, etc.  Letting the system be setup to the actual
needs of the administrator (be that a corporate network or a tech-savvy
big brother) should always be possible.  Trying to come up with some
all-encompassing claim of "home users don't need it" or "we should only
support perfect security" just makes the system unusable to everyone
between the extremes.

> password, there shouldn't even be a login screen if there's only one user.
> Maybe there's a BIOS lock to deter physical thieves, or a hard disk
> encryption lock to deter physical+information thieves, but from GNOMEs
> perspective there shouldn't be any prompting at all.
> 
> It's no accident that Windows 98 and MacOS Classic have no security. It's
> because for the market they were designed for - home users - it wasn't
> needed. Windows 98 implemented some simple user separation but it
> certainly did *not* prompt you for a password to change the date/time, or
> install new software. That's because there's no point in requiring a
> password to do it, as the user is guaranteed to know it.

Again, that was a dumb decision on the part of the Win98 designers.  We
*definitely* had a use for limited user-separation.  WinXP was a
blessing for my family, because it meant we didn't have to reinstall
certain two computers every couple months.

> 
> MacOS X has an Administrator/User distinction because Apple realised that
> OS 9 was rubbish and they had to do something about it quickly. Writing a
> modern desktop OS from scratch is close to being economically
> impossible these days, so Apple did huge code imports from NeXT and
> FreeBSD. With these imports came the UNIX security model, which lacking
> any better ideas (and lacking time/manpower) seemed an improvement over
> nothing at all.

Er, don't take this the wrong way, but... do you have any proof on that,
or is that just speculation?

<cut out long but spon-on MAC vs DAC lecture ~_^ >

Follow-Ups:
- Re: More desktop security thoughts (was Re: GNOME privilege library)
  - From: Mike Hearn

References:
- GNOME privilege library
  - From: Sean Middleditch
- More desktop security thoughts (was Re: GNOME privilege library)
  - From: Mike Hearn

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]