Re: GNOME privilege library

[Mike Hearn <mike navi cx>]

On Thu, 2005-01-13 at 18:58 +0100, Xavier Bestel wrote:
> Le jeudi 13 janvier 2005 �7:52 +0000, Mike Hearn a �it :
> 
> > The concept of having the user enter a magic password over and over to
> > achieve basic sysadmin tasks like setting the date/time seems pretty
> > broken usability-wise to me but I have no idea how else to do it :)
> 
> sudo ou suid binaries ?

Sudo just replaces root password with your own which is better but still
not that great (after all the user already entered their password to log
in!). 

A sudo that is automatically authenticated once you log in and only
times out when the screensaver activates (or the system has been idle
for X minutes) would better serve the idea of preventing random people
walking up to the system and fiddling with it. But even that sucks
because if you're in an environment where untrusted users have physical
access to the box the best you can do is a screensaver/bios lock. Sudo
doesn't achieve much as the users personal data is still vulnerable.

suid root binaries have a few problems too eg, GTK+ refuses to run if
you've got the suid bit set. They also need to be audited for security
AND all the libraries they use do too - if there's a buffer overflow in
your time/date applet that's now a local priv escalation exploit. 

It really requires some concept of desktop profile, eg a desktop meant
for deployment to 10,000 corporate seats needs that lock down we
currently provide, but a user living at home really doesn't want it at
all.

Right now the list of things that require root is tuned for servers in
big colo providers, eg beeping the speaker on Linux needs root. It's not
tuned at all for desktop systems. That isn't something GNOME can really
influence though a lot of the people reading desktop-devel-list *can*
influence it so it's still worth discussing here I think.

So far there isn't any GNOME level concept of desktop profiling. It's
left up to the distro to deal with.

thanks -mike