Re: [sabayon] hello

[Robert Taylor <robtaylor tinsputnik com>]

Neat.

Thanks for the response thus far guys.

Alexander, thank you for some of the points below, I have not considered
a lot of the ideas you brought up.

Indeed, I think I now am starting to understand where the complexity is.

Allow me comment on only one point, that being the "anal desktop".  In
my humble opinion, there is no such thing as a 'restricted desktop',
there are only custom designed desktop environments designed for certain
workflows and the administrators understanding/misunderstanding of the
users needs.  Kiosks for example require different workflows and
security needs from programmer desktops.  In our own pilot testing,
CHOICE turns out to actually be a bad thing for our users, they say they
want choice but it turns out what they really want is for all things to
always be in the same place and work the same regardless of who the last
employee using it was (even without logging out).

My enthusiasm for lock down features does not revolve around disabling
the user experience but around engineering workflows for different users
and their needs. I have always thought of computers as 'interfaces to
the mind' and thus thinking about engineering this interface to the mind
on a needs basis is quite exciting, at least to me.

I will take due note of some of your points and start testing them
further, but in light of some of the things brought up, I would say
Sabayon is essentially useless at this point.  If a user can bring in
their own .gnome dir and run it, then effectively there is really no
point to this whole project.  I don't know why this didn't occur to me
before :)

This brings up an additional point, why would anyone even bother to
write such a tool that stores "lockdown" information in such a way that
the user can change it if they know how?  Why bother even trying to lock
anything down at all?

I am going to have to consider overall security and workflow/lockdown
issues further, perhaps redhat is right about linux not being ready for
the desktop after all.

- Robert



On Fri, 2006-17-03 at 10:22 +0100, Alexander Larsson wrote: 
> On Thu, 2006-03-16 at 13:44 -0800, Robert Taylor wrote:
> 
> > 3.  I noticed some funkyness in the general approach to the Sabayon
> > concept.  I grok the coolness of using xnest to visually drag and drop
> > changes.  Unless I am missing something here, the downside is that once
> > you remove for example alacarte or remove access to gconf via the 2 or 3
> > ways you can get to it, that you effectly 'paint your self into a
> > corner' where you can't go back and make changes that require those
> > tools for access (usually toward the end of the process where you go
> > 'i'm done' then go 'oh shit i forgot something'.  Does anyone else find
> > this as well or am I missing something obvious?
> 
> I'm not sure exactly what you mean, but have you seen the menu item
> "Edit->Enforce Mandatory" in the profile editor? If you disable that
> then you will be able to change mandatory settings in the editor, which
> is useful in some cases.
> 
> > 4.  One "quirk" that i found was that one can disable access to gconf by
> > removing the icon menu, but that really isn't actually disabling access.
> > You are just removing the convenience and can still use nautilus
> > traverse the file system and startup gconf if you need to.  That brings
> > up the question in regards to what exactly are user profiles really
> > configuring, the desktop environment features or locking down the system
> > security?  I am just wondering if there is a general philosophical
> > approach to this, are we simply using sabayon to customize the user
> > experience and should use other tools (well normal unix techniques for
> > managing security) or is the project aiming at something more?  I'm just
> > curious about peoples opinions on this.
> 
> Lockdown is a complicated concept. If you take things to the extreme,
> all you need is a way to copy files to your homedir and launch them and
> the user can do anything. I mean, he could easily build a full copy of a
> not-locked-down gnome, copy it into his homedirectory and start it. So,
> if you chose to lock down just a single setting that is not really 100%
> impossible to change. However, in practice it is to most users. 
> 
> The various lockdown options available could, in combination with unix
> security and a lot of work make it possible to create a fully locked
> down system, since there are lockdown options like "don't allow command
> lines" etc in various gnome apps. Of course, this will result in an
> extremely anal desktop where you can do almost nothing (and its easy to
> forget some attack vector when setting it up, so it might not actually
> be 100% secure).
> 
> One detail in how sabayon works is that the "mandatory" gconf settings
> are actually stored in the users homedir, so you could with a bit of
> work possibly change those (although they would be re-written on the
> next login). If the mandatory config was stored somewhere else, not
> writable to the user then this attack vector would be removed. However
> that is a lot more complex to handle (i.e. you would need some setuid
> thing during login), and doesn't remove all attack vectors anyway.
> Non-gconf "mandatory" settings are similarly vulnerable. They are only
> copied over on each login. 
> 
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>  Alexander Larsson                                            Red Hat, Inc 
>                    alexl redhat com    alla lysator liu se 
> He's a gun-slinging arachnophobic shaman who knows the secret of the alien 
> invasion. She's a mentally unstable French-Canadian research scientist with 
> the soul of a mighty warrior. They fight crime! 
> 
>