[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: What I HATE about F11



On Sat, 13 Jun 2009 22:19:17 -0400
"Charles Butterfield" <charles butterfield nextcentury com> wrote:

> Okay, so I mostly love Fedora.  However, here are 4 things that got by
> blood really, really boiling, so I thought I'd share my emotions.
> They are mostly policy issues, where I think you have gotten it very
> very wrong.

Well, "wrong" is a fairly subjective term, but each to their own. :-D
 
> 
> Just installed F11 64 bit, here are the things I hate about it in the
> first 30 minutes (of course there are a lot of things I like too, but
> they work, these don't). No doubt more will crop up.
> 
> *	Root gdm login - gets harder every release - SHAME ON YOU
> root nazis!

Ich bin ein secure user and you should be too. Logging in as root into
X directly (or the console for that matter) is a *bad idea*. Yes a
*BAD IDEA*

This isn't specific to Fedora or even Linux/UNIX for that matter
(Savvy Windows admins have been trying this too to no avail. They do
exist, in times past I was one..)

With the likes of sudo / ConsoleKit / console-helper et. al you should
never, ever need to run an extended session as root. Your day-to-day
work can be done perfectly well as a standard non-privileged user, the
applications that *need* root, especially in X, are hooked into
consolehelper/ConsoleKit anyway and will prompt you for the root
password in any case (when run as a regular user)

As a systems administrator I applaud this idea, as it stops people from
shooting themselves in the foot (which is more like a Howtizer, be it a
desktop or server)

As a BOFH I'd like to see it extended further, lecturing/LARTing the
user for even attempting root login on X/direct tty :-P

> *	Samba (outbound) browsing requires firewall mods

Turn off the firewall (if you're on a trusted local network) or punch
the required holes (137-139,445,kerberos) via
system-config-firewall otherwise.

The default firewall is quite strict, which given that new users are
often ignorant of UNIX security is not such a bad idea (see bullet/foot
above)

> *	Jamming SELinux enforcing mode with no query during install

I've done reinstalls and upgrades and not seen a denial AVC - I believe
if it runs during the installer it would be a permissive / targeted
mode. I did have SELinux break an upgrade but that was many releases
back, and a relabel fixed it.

> And a bug:
> 
> *	My "supported" NVIDIA card (Quadro NVS 295) is not detected -
> okay this may not be due to overt, mulish arrogance, but I did check
> the supported card list and it is really annoying.
 
While noveau is better than prior releases, it's not perfect - I have a
8800GS - noveau works but it kernel panics and glitched out on me on a
couple of occasions (suspect my system has a conflict somewhere) - 
the nvidia binary blob works, it's not my preference but got things
going. I'll give it another whirl in a future update

My card is supported too, but it doesn't mean it's perfect.

> The first 3 items are just freaking absurd and represent some sort of
> political agenda combined with astonishing arrogance.

You forgot the "IMHO". Can you outline this "political agenda" you
speak of, or are you being melodramatic?

I happen to believe the reasons are much simpler - sound technical and
*secure* usability. We're not being bastards for the sake of it.

> Is a graphical root login dangerous -- of course! So are a lot of
> things, which have obvious enable/disable controls. Was this this
> discussed in the release note? - NO. Should it be inhibited by an
> ever-increasing set of obscure work-arounds (in this case an new file
> to edit in F11)? Of course not.

Again, you forgot the "IMHO". Your case is (hopefully) a minority one -
most users won't know or care, those that do will try and find out how
to enable it if they *really* want it. Making it simple to do something
that is inherently dangerous is just bad practice and WILL bite users
on the backside.

> (Well as was pointed out to me in
> thread http://forums.fedoraforum.org/showthread.php?t=223793  this is
> discussed... but in non-highlighted text at the end of the boring last
> bullet suggesting you "save and close").
> 
> 
> And why on earth show the stupid "Windows Network" if it doesn't work
> -- just gives an obscure error message "Failed to retrieve share list
> from server". If you install the client, the reasonable man would
> open the ports, OR provide a cluefull error message.

Take up the error message with the nautilus developers - it's
technically correct (if the firewall is closed then the browse list
will not be retrievable from the DC/browse master) but not very
specific.

The firewall case is different again: The precise ports to open vary by
environment (are you on an Active Directory domain or a Samba3/NT4
style domain? The ports differ slightly between versions)

Also changing system security silently and dynamically in a package
install, without the user/admin's knowledge is a definite no-no.

> 
> SELinux - enforcing???? So all the bugs are worked out? I think not.
> 

Where did it break? The SELinux guys are usually pretty keen to see any
serious AVC / denials.

>  
> 
> Regards
> 
> -- Charlie Butterfield

Michael Fleming.

-- 
Michael Fleming <mfleming thatfleminggent com> - (EMail/XMPP/Jabber)
WWW: http://www.thatfleminggent.com
Fedora / Red Hat Packages: http://www.thatfleminggent.com/rpm-packages
Twitter: http://twitter.com/thatfleminggent 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]