This is drifting further off-topic all the time. I hope that some of you find it amusing.
At 1:47 AM -0800 1/18/03, Rich Morin wrote: >At 6:52 PM -0800 1/17/03, Heather Madrone wrote: >>I don't see any Unix daemons on my machine (running in single-user >>mode) that aren't running as root > >Are you saying that this is a good thing (:-)? Just noting the facts, sir. I suspect that running in single-user mode might have something to do with it. Many Unices are much less protective in single-user mode than they might otherwise be. The init man page explains some of this, for the curious. >My personal theory is that no program should run with any more power >than it needs to do the tasks it's assigned. Y'know, I was arguing this when OS2 came out back in 1986. Lots of people weren't willing to trade their god-given right to poke the screen buffer to gain protection levels. >I dunno if FreeBSD's >root-level daemons all fit this description, however. For instance, >why does lpd need to run as root? I suspect because no one has gotten around to fixing it yet. You could try "send-pr" to report it as a bug, and maybe they'll take care of it Real Soon Now. >>... if you're going to play on Unix, it's always a good idea to be >>mindful of your program's UID. The default's often not what you >>want, one way or the other. > >Quite true, but Mac OS X is being marketed as a mass-market OS, so >it may make sense to make the defaults as safe as possible. If a >developer really needs her daemon to run as root (or whatever), >make her say so explicitly. Otherwise, we'll have a lot of things >running as root that don't need anything like that amount of power. These are programmers we're talking about who are writing daemons, right? We're not talking about computer-illiterate grandpas who use their computers only to read email, surf the web, and watch dvds. And presumably these programmers are inflicting these daemons on real, live, paying customers? And these customers might be a wee bit perturbed if these daemons started scribbling garbage where they have no business sticking their snouts? Unless you want to change the way fork works (breaking many perfectly well-behaved applications while you're at it), then I can only think of about a dozen options. Create a new, safe fork that requires triplicate signed forms from some Gods somewhere before it allows a process to be forked as root. All other processes either supply a destination UID or are given a new, machine generated one. Old programs use the old fork, and are prodded along to Get With the New Program. Takes about 10 years to implement after it's introduced. Teach programmers self-restraint (and let the market help you weed them out). Programmers, by our very nature, need the power to change things on computers. Therefore, let us use good defensive programming practices, code reviews, peer review, and other methods to make sure that we toe the line. Fix Unix's antiquated protection system so that you can actually deal with the permission issues of dozens of different high-level daemons which are not running as root. (Another 10 year project.) Wait for sleeping dogs to get up and bite you before you fix them. The open-source world is good at this, and I don't honestly see how it can work any differently. When volunteers do the work, they work on what they want to work on, and cleaning up other people's old code is no one's favorite job. ~~~ Y'know, that big trash can on the bottom of my screen kind of scares me. During the first day I owned my Mac, I dragged Terminal.app out on the desktop where I could get to it more easily. I figured it would put an alias on the desktop, the way sensible systems do. Then I figured out how to drag it onto the Dock, and did that. Then I thought, I don't need this on the desktop anymore, so I'll just drag that copy into that big ole trash can. Okay, so for some reason that Terminal.app keeps right on working from the Dock for the next few months. Then one morning, I say to myself, "Heather, I know you have a huge old disk here, but let's be tidy and empty the trash. You've been on this machine a while, and nothing's gone missing that you later needed." So I emptied it, and bang! there went Terminal.app. And I thought, "How broken is that? These guys are worried about the damage they can do with a root password. How about the damage they can do right here in the gui?" -- Heather Madrone ([EMAIL PROTECTED]) http://www.madrone.com If we're not having fun, we're not doing it right.
