pablolie;495882 Wrote: > My understanding is that indeed you should never, ever do anything as > root. There are several system folders that are and should be locked for > any user other than root on the system, for good reasons.
Oversimplistic view. I have a dozen web/mail/svn/firewalls and such and am routinely root. It is difficult to change configurations when you're not root. (And, again, these are servers: X as root is bad.. an xterm as root is not. They don't even have X installed on them.) gksudo, sudo, su, whatever.. they all make you root. > > And no human user should be root. Ever. I have not advocated anywhere > messing around with root, quite the contrary, the fact that in thne end > we are forced to dabble around with gksudo nautilus (or as yours may go) > shows that there is something broken with the way it is implemented > anyhow, because you force users into a basic violation of your sacred > security policy to get a plain vanilla system going. > I would agree that the pretty UI that Ubuntu insists on giving you is broken: it should be possible to mount an external drive as part of the boot process. For some things, you may just have to break down and do it by hand, though, I don't use ntfs so no interest in figuring out how to make it behave correctly with permissions, which is your problem. > > What I stated was something different: let us say user (or let us say > "account") "pablo" is the main admin with the most privileges on a > machine (mind you, he'd still never get access to root according to > Ubuntu policies, in theory, but of course we know that is only a gksudo > command away. The account maps to a user ID which belongs to a group. If > user/account pablo installs SBS, the account/group's privileges should > be propagated to the installed software automatically. It does not make > sense to do it any other way. If my account can access a USB drive, the > software I install should be able to access that drive too. Anything > else it utterly unintuitive. > And I disagree: SBS has its own user id so that YOU can tell it what files it may access. > > There is a big difference with configuration of settings (which > naturally the user must do) and access to system resources. When a user > installs a software package, the software package should have access to > the resources the user has naturally access to. There is no added > security in that. It's just inconvenient and utterly user unfriendly. > So when i, as 'bem' install apache, apache should have access to all my files? I think not. > > I do not believe that. The security policy is concerned with protecting > root directories, for very good reason. A user installed USB drive is > not a protected resource. If and when a root directory exists on the USB > drive, then by all means that can (and is) protected. But anything I as > a user mount to my /home/media...whatever, it should be there for every > application I have the right to start. Anything else is confusing and > simply not an intuitive security policy. > Then you have a beef with Ubuntu which is setting that permission. > > The whole idea of Linux security is to protect root resources from > malicious (or unintentional) attack. That principle is not violated by > propagating user access rights to resources to software those users > install, since in Ubuntu they are not root in any normal operation (it > seems you run your system differently, and more power to you, mind you). Wrong: it also involves protecting users from accessing other users files except when desired and keeping processes contained so that they do not easily violate rules and leak information from one user to another or to the network. Not every desktop machine has a single login. I have machines with -thousands- of logins, and making sure that 'jsmith' does not read the email of 'jdoe' is crucial. Ensuring they do not read or write each others web pages is critical. In a 'desktop' configuration, perhaps it is "okay" to do what you wish, but that, again, is a matter for Ubuntu. SBS does -NOT- mount your drive, it does NOT enforce permissions on your drive: the kernel does, and it does so with the guidance that Ubuntu has when seeing new removable media. -- snarlydwarf ------------------------------------------------------------------------ snarlydwarf's Profile: http://forums.slimdevices.com/member.php?userid=1179 View this thread: http://forums.slimdevices.com/showthread.php?t=71700 _______________________________________________ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
