Re: More desktop security thoughts (was Re: GNOME privilege library)



On Thu, 13 Jan 2005 19:53:52 +0000, Alan Cox wrote:
> I think the administrative restrictions actually serve several purposes
> 
> 1. They stop the user making large mistakes. That doesn't need a
> password so much as a big read "are you an idiot today" button

The best way to prevent a user making mistakes (apart from better UI
design to make understanding easier) is not to add a "DO NOT PUSH THIS
BUTTON" button to the desktop but to give intelligent warnings like "If
you do this, programs which don't expect the clock to go backwards may
misbehave, are you sure you want to continue?". Asking for a password
doesn't help the user at all.
 
> 2. Make it harder for viruses/trojans

How does DAC help this? If it's principle of least priviledge, that's
why I suggest MAC like SELinux for home users. 

Like I said most viruses and trojans do stuff that doesn't need root
anyway.

> 3. Protect users from each other.

OK this is what Miguel raised too, let's discuss this some more.

> Many home systems are in the curious state where nobody cares if you
> reconfigure networking, change ISP, add a new printer and so on (all the
> things that get corporate IS upset). They do care if you delete other
> users files or access them. 

Right. Even the most perfectly balanced families want to restrict some
things, that was the little brother/big sister example.

I'm going to stick my neck out and say in *most* cases, in a family/shared
computer setup a user distinction is useful (I never argued
against multiple users, even Windows 98 had that) but that user security
isn't. 

If I download a really cool video to my desktop and later on want to show
my brother, but he's logged in as himself then I want to be able to access
my stuff easily. Likewise, if I want to pass data between users I don't
want the security system to get in my way.

So I think user security should be optionally enabled on a per-file basis.
That way if I have a secret diary or whatever I can stop others accessing
it, but by default I share everything.

I'm trying to think of a situation where you have a shared computer where
users are trusted not to sabotage it, but where you don't want to share
data by default. I think this is a rare situation.

Still it would not be hard to support "non-shared user data by default"
mode. Then you would have to enter a password to browser another users
desktop. 

> It's not something the unix "root" world
> really reflects either. Its a co-operative environment not unlike the
> kinds of setup hackers used to run (ITS etc) rather than a control
> environment. It still needs protection to assure users about privacy and
> to ensure that even if the display size is wrong and they keyboard beeps
> this week the user data is ok.

Heh, I'm half glad and half sorry I missed those days ....




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]