Andrew McNabb wrote: > Since 71.3% of all statistics are made up on the spot, I'm not sure I > trust your 99% number. Here are a few things that you might not have > considered in your estimate: > > 1) Any desktop or laptop I set up is a multi-user system, with accounts > for various family members and friends (do you really want it to be > brain-dead easy for your kids to install the "p0rn-comfort" package?).
I highly doubt the p0rn-comfort package is in the standard fedora repos anyway, though there is a questionable cpu monitor in the ubuntu standard repos. Furthermore if you're going to the work of setting up a family computer with separate accounts (you are only one of maybe 3 people I know that does this), you'd go to the work of making sure the policykit settings are set right for your kids' accounts. In a way this is no different than Mac's parental controls. For most users, though the defaults are sane. > 2) Does your 99% number take into account computer labs? For example, > there are some 100 Fedora machines in the CS department open labs; for > 99% to be home users, there would have be 9,900 single-user installs to > offset these 100 machines. To offset the 30 machines in our single > research lab, there would have to be 2,970 single-user machines out > there. No it does not. The CS dept (any uni lab) is a special case. For academic use as you say. In the CS dept's case, Fedora has to be configured and hardened anyway. PolicyKit just makes it easier to harden. Write a policy and push it out. Disable removable executable bits? check. Disable setuid on removable devices? check. Disable any kind of privilege elevation? check. Or in some cases, remove removable device support entirely from the desktop experience. > 3) If I install a machine for a computer-illiterate family member or > friend, they consider me the admin. In most cases, I've made sure that > they have the root password, but this isn't always desirable. Though you may think of adminning as as normal for Linux, in my most users out there don't set up machines this way and don't think of such a person as an "admin" since they don't know what an admin is. To them I'm just the guy that fixes things for them. Most families don't have admins other than some nephew that comes over to clean viruses once in a while. While you and I may have our families all networked with VPNs and do remote sysadminning, we are not normal. PolicyKit makes it easier to do the adminning though. Most of my family want to be able to install software. So the default works. In some cases they might want more or less control. I can do that with F12. > I say this frequently, but it isn't always true. For example, the CS > department has lab monitors, BIOS/GRUB passwords, and cameras for the > express purpose of giving people console access without letting them > have unlimited control. My hypothetical neighbor trying out fedora certainly is not in a situation like this. It's his computer; the idea of having to log in as a completely different user (root) is a very strange idea to him. And except for certain amounts of malware protection, this is merely an obstacle thrust in his way that serves no purpose. > Anyway, I think the fundamental issue going on here is that Linux has > recently been including new systems like udev, dbus, PolicyKit, > NetworkManager, etc. > <snip> Note that before PolicyKit and friends, a lot of things were hacks, plain and simple. Like access to removable devices. I remember playing all kinds of automounter games when I was a CS admin to allow students to use their zip drives, etc. I even remember the bad old days when you had to use a setuid program called mtools to access floppies! All because mounting took root privileges. It's better now (and more secure). > Administratability, if that's a word, has definitely declined over the > last five years. I think it's more growing pains than a permanent loss, > but there is definitely a ton of work to be done. In my opinion, the > PolicyKit debate isn't just about the mildy insecure defaults; it's also > about how administrators feel like they don't even know what's on their > systems anymore. I dunno about that. With PolicyKit hitting RHEL6, I should be able to set up and control the desktop experiences of my users much more easily than I do now which is basically an all-or-nothing approach. There's root and then there's everyone else. For faculty members this is really problematic. I want to be able to keep their machines running well, but the lack of fined-grained admin controls is a real hurdle. If they need to install instrument software I have to grant them sudo access, which means they can really screw things up if they try. I'd rather give them the ability to do some things, but not other things (like screw up network settings). -------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
