Root access removed
Lamar Owen
lowen at pari.edu
Tue May 11 15:54:37 UTC 2004
On Tuesday 11 May 2004 09:32, Jeff Vian wrote:
> /etc/fstab controls the access when mounting. Configure it there to
> allow the user to mount/unmount and access it.
Ok, so I configure the memstick today, which is /dev/sda1. I have the proper
options in fstab to allow the user to do that. Now, the user plugs in a
camera (that is managed by usb-storage), it gets /dev/sda, and then he plugs
in the memstick (which gets /dev/sdb). Now what? Tomorrow he adds a USB
hard drive (already partitioned and formatted, BTW). Now what?
With KDE you can see devices and such on the desktop if you would like, but
the permissions have to be set up first.
> A little bit if time spent on education is much better in the long run
> than just removing obstacles. Ever hear the one about "Give a man a
> fish and he eats for a day. Teach a man to fish and he eats forever.")?
> It applies to using computers as well.
Yeah, but sometimes when somebody asks 'What time is it?' he doesn't want to
know how to build a watch. When I go into McDonald's and ask for a Big Mac I
don't want a lesson in butchery, USDA inspection, frying temperature,
condiment formulation, hydroponic growing of salad greens and vegetables,
proper rennet mixture for curdling, oleo versus diary mixture to meet USDA
standards for naming a product 'cheese' versus 'cheese food', vinegar
solution percentages for proper acidity to react with cucumber slices,
growing techniques for oriental seed spices, and appropriate yeast cultures
for particular strains of wheat for desired bubble sizes. I just want to eat
a Big Mac. This also applies to computers: sometimes people just want to get
their work done. This is not a wrong thing to want.
> I understand your point, and as long as the user understands the risks
> of being root user and the ease of causing severe damage to his system
> with a simple typo when he is logged in as root, it is, after all, /his/
> system.
This is again where a well-configured SELinux setup will solve many problems.
The hard part is getting it well-configured. Under SELinux carried out to
the max there _is_ no root. This is also a good thing. SELinux and similar
technologies should be thought of as ways to improve both security of the
system and convenience to the user. With proper application of this
technolgy much finer-grained balancing of security versus convenience may be
done. But the tools to do this must be easily configured, and the defaults
must be very carefully chosen.
--
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC 28772
(828)862-5554
www.pari.edu
More information about the users
mailing list