If I was about to make a friendly for me Desktop, I would provide a
system service/library/daemon/whatever, where every application while
installing on the system could register (during installation) a set of
commands to be executed later with root privileges. And later ask for
execution of those commands, assuming that the service will take care
of communicating with the user and authorizing such request.
So during application installation I could do audit if I want.
This way every application designed for that framework could be programmed
standard way, and Iwould have to authenticate once a while (like sudo
does).
Having control what is executed with root privileges.
Gives freedom to everybody - developer to desing the set of privileged
commands/application flow/etc, the admin/user to audit/use it.
Now, every application may solve this in its own different way.
Systemd in opposite, gives fixed set of commands, and forces all to us it.
--
regards
piotr
On Thu, 30 Jul 2015 01:30:36 +0200, Laurent Bercot <ska-de...@skarnet.org>
wrote:
On 29/07/2015 19:44, Jaromil wrote:
IMHO the bigger barrier to this is not having
a string parsing code (or basic grammar)
that is security oriented, I mean hardened
to run as root and handle corner cases
The tool I linked does no parsing at all. The user gives the end
of the command line she wants to run, but the start of the command
line is fixed at daemon start time. One daemon per start of
command line; you can have hundreds of those if needed, because
each instance uses very little memory (max 2 pages of private dirty
stack, no heap).
most code out there has too many features
and is too ambitions to fulfill such a simple task
I have a lot of tools that fulfill simple tasks, specifically made
to address these kinds of problems. When you're done with your
priorities - releasing Devuan 1.0 -, let's talk.
I think I speak for most people here when I say we dislike
the quantity of undocumented daemons running
on on gnu/Linux desktop nowadays and
I hope we can trim that down with Devuan
The real sticking point in what you just wrote is "undocumented".
I think most people wouldn't mind a pandemonium on their machine IF
they knew exactly what daemon is doing what, how many resources a
daemon consumes, and how to disable the ones they don't need.
--
Using Opera's mail client: http://www.opera.com/mail/
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
