Linked by Thom Holwerda on Tue 28th Feb 2012 23:11 UTC
Linux Linus Torvalds on requiring the root password for mundane tasks. "So here's a plea: if you have anything to do with security in a distro, and think that my kids (replace 'my kids' with 'sales people on the road' if you think your main customers are businesses) need to have the root password to access some wireless network, or to be able to print out a paper, or to change the date-and-time settings, please just kill yourself now. The world will be a better place." Yes, it's harsh (deal with it, Finns don't beat around the bush), but he's completely and utterly right. While there's cases where it makes sense to disable certain settings (public terminals, for instance), it is utterly idiotic that regular home users have to type in their root password for such mundane tasks.
Thread beginning with comment 509144
To view parent comment, click here.
To read all comments associated with this story, please click here.
stestagg
Member since:
2006-06-03

I think you're mistaking technical limitations for 'security features'. Let's look at the examples:

Adding a printer
Might require access to another driver besides the default one. Which if not installed, will need to be installed thus opening a security exploit, depending on the source of the driver binary.

-> If the driver runs in user-space, with kernel-managed access to only the specific USB port the printer is connected to, then there should be no security risk


Attaching to a new wireless network
It exposes the computer to a another network. Depending on the wireless security settings, another exploit vector might now be open to the world.

-> Either make it user-land by default (in a desktop environemt) OR just accept that the wireless connection isn't itself a security risk, but more a vector for attacks on existing flaws,

Changing system time
Many OS services/daemons depend on the current time and take decisions based on time. Every time you change system time, it might have unexpected consequences on system behavior. [/q]


-> Desktop users don't usually care about the system time, they care about the time that is shown to them. Let's introduce a per-user clock offset, to allow anyone to set their time to whatever they want.

The underlying OS/Crypto/Daemon systems can still use the ntp-controlled time for internal book-keeping.

Reply Parent Score: 3

moondevil Member since:
2005-07-08

What everyone is forgeting when replying is that all your suggestions kind of require special design decisions for the single user use case.

Operating systems are however generic, and must be able to cope between being used by a single user at home, in very expensive servers in the enterprise world, and any scenario in between.

Failing to do so, we end up with Microsoft's solution, which everyone loves to hate, when there are Windows flavours, each one different, depending on the user use case.

Reply Parent Score: 2