[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Lock screen does not work for root in gnome



On Tue, 2004-10-19 at 02:12, Jeff Spaleta wrote:
> On Tue, 19 Oct 2004 01:44:26 +0100, Jonathan Andrews
> <jon jonshouse co uk> wrote:
> > Bite me !
> 
> Tell me where i get in line.  
> 
> > Users should have the power to choose, even if you personally think its
> > a poor choice.
> 
> Choose what? Choose to use less secure defaults? Choose to recompile
> software using less secure settings? Choose to write their own
> software?
> 
> Here let me reparse what seth said with my "by default" clause
> post-processor and see if you can stomach my version:
> 
>  Disable root graphical logins..... by default
>  Period.
>  make it so gdm or kdm or xdm just exit... by default
>  hell, you could make the xinitrc script handle it...by default:
>  if your uid is 0 then you throw up a hate-filled messaged and
> exit....by default
>  EOD.... by default
> 
> I'll grant you that there are some bizarro pieces of software out
> there, but if they require you to be logged into X as root, that
> software has to be considered at the very least buggy if not
> malicious. But I see nothing wrong with making the default settings
> for gdm revoke all root user attempts at logging in..by default. And I
> see no problem taking a more aggressive stance by hardcoding a well
> commented root login check into xinitrc that anyone who wants to break
> the no root login must find and comment out. As a local admin, you
> would still have the choice to reconfigure gdm or the xinitrc script
> to lift those defaults.
> 
> > If you have such a security fetish then go play with firewall rules in
> > the corner and leave us users to decide how to operate our machines !
> 
> No, security is a community wide problem. As we learn every day,
> insecurely admined boxes on the public internet can cause problems for
> everyone and not just the person with the hacked box who doesn't take
> the time or have the patience to do things securely. Security, sir, is
> everyone's problem. And I'd much rather see buggy graphical software
> fixed so that it doesn't require root login, than to have someone
> inexperienced(who doesn't have the skill to even reconfigure a shell
> script like xinitrc to enable root login) think that loginning into as
> root is an acceptible workaround for common problems.

I think you simply miss my point. 

Ok, so yet another Unix security person with the attitude that "mummy
knows best".  

Those who are learning will WANT to login as root to configure, its the
way they think it should work - they are going to look lost and confused
if you start shipping things with defaults that stop them. 

As for pop ups with "Don't do this, its naughty" - BAHHH !!! DONT !!! On
the one hand we have security people trying to take out things people
need, on the other we have the GUI people trying to put in more
pointless crap.

Those who want better security will configure things for it, however
some people don't want to know. 

I for example have a number of systems that use X servers to display
status information and video. At one point I thought I was going to have
to re-write the whole thing next time I upgraded because some security
minded person at Xfree decided that removing the "-ac" option from the X
server is "more secure"

Don't force users who want a media player in the living room, or just
want to have a play with linux to behave like administrators. A lot of
home users run with almost no security at all - worry about the network
cable not the physical machine......

Jon



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]