Lock screen does not work for root in gnome

Sean Middleditch elanthis at awesomeplay.com
Tue Oct 19 14:32:51 UTC 2004 

On Tue, 2004-10-19 at 15:10 +0100, Jonathan Andrews wrote:
> On Tue, 2004-10-19 at 14:50, Nils Philippsen wrote:

snip... (try cutting down the mails here people)

> > We basically have two choices:
> > 
> > - Making the system "easy" while at the same time making compromises on
> > security. This is what Windows does.
> > - Making the system as secure as we can get it while still allowing the
> > user to do the things he wants to do. That is what we try to achieve.
> > 
> > You really want to vote for the first option? I guess you're in the
> > minority then ;-)
> 
> Its not a question of easy ! Its a question of arrogance .... your
> argument is that because you know its a bad idea people should not be
> able to do it. Ok - I could live with a warning .... even better if it
> only happens the first time root logs in, but disabling root logins in X
> is only going to cause problems, unless you can get every other distro
> to follow suite .....

If you are experienced enough to have a reason to run anything as root,
you are experienced enough to click the checkbox in the GDM
configuration to turn root logins back on.

Many other home-user oriented distros disable root logins, or even get
rid of the entire account at all.

> > As we're still lacking the make_this_machine_a_media_appliance-1.0-1.rpm
> > package, we can safely (securely? ;-) assume that the person who wants
> > to do that needs to fiddle a good deal anyway so editing gdm.conf or
> > similar files isn't to onerous IMO.
> 
> I see situations like this.
> 
> novice user 1 - "how do I configure N", 
> novice user 2 - "log in as root and run this GUI tool"
> novice user 1 - "It wont let me"
> novice user 2 - "My machine does ?"
> etc etc etc etc

So the problem is you have two novices, neither of which know what the
hell they're doing, running into problems caused by differences by using
two completely different operating systems?  (I don't care if they have
the same kernel or glibc or anything, those are teensy minor bits of
what makes an OS.)

Nothing stops the users from running GUI tools as root.  The
configuration tools in Fedora will *still* run as root.  They'll still
popup and ask for a password.  (Either the root password, or the user's
password using the SELinux roles mechanism or sudo.)

If a user needs to run a tool as root, they can log in as their user and
use su or sudo.  Simple.  It can even be a graphical tool.  It Just
Works(tm).  Not to mention it's a hell of a lot more convenient than
logging in as a whole different user at the login screen again.

> 
> Makes we wonder what userbase fedora is aimed at ? Should home users be
> using Debian - if so who fedora for ? 

*snort*  Debian.  For home users.  Riiiight.  ;-)

> 
> I suppose you want to pop-up a window in xine now saying "Playing this
> video while logged in as root is a security risk" 

YES!  These are apps that often use Windows DLLs and/or very complex
codec libraries that have had zero code review or testing.  It is
absolutely moronic to be running random movies you get as fricken' root.
There's *no* reason at all that xine can't play the same videos as a
normal user.

If your PVR is configured to run things as root, you misconfigured your
box.  It is flat out stupid and it's perfectly good that the OS tries to
stop you.  Then maybe you'll go online, look for help, and find the
documentation telling you how to configure the box intelligently.

> 
> Jon
> 
> 
> 
-- 
Sean Middleditch <elanthis at awesomeplay.com>
AwesomePlay Productions, Inc.

More information about the devel mailing list