Re: More desktop security thoughts (was Re: GNOME privilege library)

[Sean Middleditch <elanthis awesomeplay com>]

On Thu, 2005-01-13 at 21:34 +0000, Mike Hearn wrote:
> On Thu, 13 Jan 2005 16:13:52 -0500, Sean Middleditch wrote:
> >> The root/user distinction is totally useless for home users, in fact it
> >> shouldn't even exist as there are limits to how much you can wallpaper
> >> over it. In home setups the users shouldn't ever be prompted for a
> > 
> > You don't have children, do you?  ;-)
> 
> Hmm, people seem to be interpreting that sentence as "multiple users are
> bad" or "separating users is bad". That's not what I said.

I was interpreting as "having privileged/unprivileged users" is
bad.  ;-)

>  
> 
> I said that a user vs root distinction is bad, that means you can still
> give users separate desktops and preferences (even installed software),
> and have those desktops and preferences protected by a password if you so
> wish.

It's not just protecting users from each other.  It's protecting users
from themselves.  There are, quite frankly, people who just don't learn.

> 
> > I don't like root itself - it's way too black and white, "unprivileged"
> > and "all privileges."  Separating users and giving them different access
> > levels is a must.  Simply making it a "user can do X or can't do X"
> > isn't enough, either.  Even with a fast user switching system, if I had
> > to log into a whole different account on, say, my thirteen-year-old
> > sister's computer in order to make some small change that's necessary,
> > versus just entering an an admin password, I'd be rather perturbed.
> 
> The point is in a family/home environment you wouldn't *need* to switch
> accounts or enter passwords. Your little sister would be able to make the
> change from her own account.

No, she very specifically would not.  That's the whole point.

> 
> Now if you think your little sister cannot be trusted with that level of
> access then this is a different issue - if she's just inexperienced
> we need a better desktop, if she's deliberately malicious maybe my
> original idea (which is overly simple I admit) needs adjusting so by
> default users are trusted then you can mark particular accounts as running
> in restricted mode or whatever. That's not user vs root though. That's
> lots of users all with the equivalent of root access, except one or two
> that are limited in arbitrary ways. 

Right, to an extent.  I still wouldn't want them to have the equivalent
of root access.  I don't run as root as my Linux boxes even though I
fully have that option.  Even an experienced user can make a mistake,
and by putting barriers between the user and destructive capabilities is
useful.

That barrier doesn't *have* to be a password box.  gnomesu or whatever
could very well just popup an "This action could be destructive blah
blah.  [Cancel] [Eat My Baby]" dialog and run the target app as root
based on that.

There's nothing about Linux or the UNIX architecture that stops that.
It's as simple as a small change to gnomesu or consolehelper or
whatever.

The existence of user accounts is an implementation detail.  A useful
one.  You can easily slap a Win98-like user interaction model on a Linux
box.

> 
> > There is no ideal security.  In some places I don't want separate users,
> > in some places I want to have a super-user, in some places I want a
> > password for each distinct task, in some places I want to assign
> > privileges to accounts, etc.  Letting the system be setup to the actual
> > needs of the administrator (be that a corporate network or a tech-savvy
> > big brother) should always be possible.  Trying to come up with some
> > all-encompassing claim of "home users don't need it" or "we should only
> > support perfect security" just makes the system unusable to everyone
> > between the extremes.
> 
> Ah well now you're saying that every computer should have an
> administrator. That's fine for homes with geeks in. For single user

Every computer *does* have an administrator.  Some just have far more
talented admins than others.  That's where defaults come in.  Defaults
should handle the case where the administrator is very very unskilled;
say, my grandmother.  if the system design assumes there is no
administrator, however, then when someone who *is* skilled comes in,
they find the system hamstrung.

Linux can have "easy for unskilled home user" defaults while still
retaining its full access control (or better access control through MAC
and so on) for users that wish to utilize it.

I don't really think there's such a fundamental problem as (I'm
interpreting) you are making it out to be.  It's more just defaults and
a few UI bits here and there.

(Also note that the library/API I proposed would let you swap around
security models without modifying or recompiling any apps, which might
make it a lot easier to experiment with and test different models, or
let you select an appropriate one for the user at install time, etc.)