Linked by Thom Holwerda on Tue 28th Feb 2012 23:11 UTC
Linux Linus Torvalds on requiring the root password for mundane tasks. "So here's a plea: if you have anything to do with security in a distro, and think that my kids (replace 'my kids' with 'sales people on the road' if you think your main customers are businesses) need to have the root password to access some wireless network, or to be able to print out a paper, or to change the date-and-time settings, please just kill yourself now. The world will be a better place." Yes, it's harsh (deal with it, Finns don't beat around the bush), but he's completely and utterly right. While there's cases where it makes sense to disable certain settings (public terminals, for instance), it is utterly idiotic that regular home users have to type in their root password for such mundane tasks.
Thread beginning with comment 509098
To read all comments associated with this story, please click here.
Linus does not understand security
by moondevil on Thu 1st Mar 2012 07:23 UTC
moondevil
Member since:
2005-07-08

Linus might be a very competent person, and he has achieve things in life I can only dream of, but he just does not understand security.

The examples he refers to can all be a potencial security exploit, hence the requirement to not allow the normal user account to do those tasks.

Deconstructing his examples:

Adding a printer
Might require access to another driver besides the default one. Which if not installed, will need to be installed thus opening a security exploit, depending on the source of the driver binary.


Attaching to a new wireless network
It exposes the computer to a another network. Depending on the wireless security settings, another exploit vector might now be open to the world.

Changing system time
Many OS services/daemons depend on the current time and take decisions based on time. Every time you change system time, it might have unexpected consequences on system behavior.

Reply Score: 2

ndrw Member since:
2009-06-30

All these examples are legitimate user tasks on single-user desktops or shared workstations.

Guess what, the user _will_ do all of this (after jumping through several hops) because he _is_ the admin. OTOH, the user _will not_ create another low privileged account for running his browser or Skype, ideally one per identity, even though that would greatly enhance his own security and privacy.

Centrally managed time-sharing systems are a different story but (1) Linus didn't talk about them, (2) they have staff who know which distribution to choose or how to change default configuration.

Reply Parent Score: 2

Soulbender Member since:
2005-08-18

Adding a printer

There's no reason this should require me to give my password or the root password if I have already done so at least once in this session. A UAC like popup prompt would be enough and perhaps that should only be done if a driver install is needed.


Attaching to a new wireless network

This doesn't require root privileges on any recent distro I have used so I don't know if/why OpenSUSE does. Maybe it's a Yast thing or something.
There's no real security benefit to requiring the root password for this.

Changing system time

See adding a printer.

Note that we're talking about *personal* workstations and laptops here, not corporate ones or thin clients or servers.

Edited 2012-03-01 11:25 UTC

Reply Parent Score: 4

MrWeeble Member since:
2007-04-18


Adding a printer
Might require access to another driver besides the default one. Which if not installed, will need to be installed thus opening a security exploit, depending on the source of the driver binary.

Agreed installing software should require enhanced security; but, if the user is happy using a pre-installed driver, or a generic driver, why shouldn't he?


Attaching to a new wireless network
It exposes the computer to a another network. Depending on the wireless security settings, another exploit vector might now be open to the world.

I've hit this problem before, but never with plugging in a new Ethernet cable. Since functionally they both have the same potential problems (access to a new possible compromised network), why should one require root password and the other not?


Changing system time
Many OS services/daemons depend on the current time and take decisions based on time. Every time you change system time, it might have unexpected consequences on system behavior.

I believe his specific query was changing the time-zone, this would not affect any services, but is a common use case for users of laptops who travel (especially in the US where I understand there are all sorts of places where crossing a county line changes from daylight saving to mean time

Reply Parent Score: 2

stestagg Member since:
2006-06-03

I think you're mistaking technical limitations for 'security features'. Let's look at the examples:

Adding a printer
Might require access to another driver besides the default one. Which if not installed, will need to be installed thus opening a security exploit, depending on the source of the driver binary.

-> If the driver runs in user-space, with kernel-managed access to only the specific USB port the printer is connected to, then there should be no security risk


Attaching to a new wireless network
It exposes the computer to a another network. Depending on the wireless security settings, another exploit vector might now be open to the world.

-> Either make it user-land by default (in a desktop environemt) OR just accept that the wireless connection isn't itself a security risk, but more a vector for attacks on existing flaws,

Changing system time
Many OS services/daemons depend on the current time and take decisions based on time. Every time you change system time, it might have unexpected consequences on system behavior. [/q]


-> Desktop users don't usually care about the system time, they care about the time that is shown to them. Let's introduce a per-user clock offset, to allow anyone to set their time to whatever they want.

The underlying OS/Crypto/Daemon systems can still use the ntp-controlled time for internal book-keeping.

Reply Parent Score: 3

moondevil Member since:
2005-07-08

What everyone is forgeting when replying is that all your suggestions kind of require special design decisions for the single user use case.

Operating systems are however generic, and must be able to cope between being used by a single user at home, in very expensive servers in the enterprise world, and any scenario in between.

Failing to do so, we end up with Microsoft's solution, which everyone loves to hate, when there are Windows flavours, each one different, depending on the user use case.

Reply Parent Score: 2