Root access removed

Lamar Owen lowen at pari.edu
Tue May 11 15:54:37 UTC 2004


On Tuesday 11 May 2004 09:32, Jeff Vian wrote:
> /etc/fstab controls the access when mounting.   Configure it there to
> allow the user to mount/unmount and access it.

Ok, so I configure the memstick today, which is /dev/sda1.  I have the proper 
options in fstab to allow the user to do that.  Now, the user plugs in a  
camera (that is managed by usb-storage), it gets /dev/sda, and then he plugs 
in the memstick (which gets /dev/sdb).  Now what?  Tomorrow he adds a USB 
hard drive (already partitioned and formatted, BTW).  Now what?

With KDE you can see devices and such on the desktop if you would like, but 
the permissions have to be set up first.

> A little bit if time spent on education is much better in the long run
> than just removing obstacles.  Ever hear the one about "Give a man a
> fish and he eats for a day.  Teach a man to fish and he eats forever.")?
>  It applies to using computers as well.

Yeah, but sometimes when somebody asks 'What time is it?' he doesn't want to 
know how to build a watch.  When I go into McDonald's and ask for a Big Mac I 
don't want a lesson in butchery, USDA inspection, frying temperature, 
condiment formulation, hydroponic growing of salad greens and vegetables, 
proper rennet mixture for curdling, oleo versus diary mixture to meet USDA 
standards for naming a product 'cheese' versus 'cheese food', vinegar 
solution percentages for proper acidity to react with cucumber slices, 
growing techniques for oriental seed spices, and appropriate yeast cultures 
for particular strains of wheat for desired bubble sizes.  I just want to eat 
a Big Mac.  This also applies to computers: sometimes people just want to get 
their work done.  This is not a wrong thing to want.

> I understand your point, and as long as the user understands the risks
> of being root user and the ease of causing severe damage to his system
> with a simple typo when he is logged in as root, it is, after all, /his/
> system.

This is again where a well-configured SELinux setup will solve many problems.  
The hard part is getting it well-configured.  Under SELinux carried out to 
the max there _is_ no root.  This is also a good thing.  SELinux and similar 
technologies should be thought of as ways to improve both security of the 
system and convenience to the user.  With proper application of this 
technolgy much finer-grained balancing of security versus convenience may be 
done.  But the tools to do this must be easily configured, and the defaults 
must be very carefully chosen.
-- 
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
(828)862-5554
www.pari.edu





More information about the users mailing list