Re: More desktop security thoughts (was Re: GNOME privilege library)

[Mike Hearn <mike navi cx>]

On Thu, 13 Jan 2005 16:13:52 -0500, Sean Middleditch wrote:
>> The root/user distinction is totally useless for home users, in fact it
>> shouldn't even exist as there are limits to how much you can wallpaper
>> over it. In home setups the users shouldn't ever be prompted for a
> 
> You don't have children, do you?  ;-)

Hmm, people seem to be interpreting that sentence as "multiple users are
bad" or "separating users is bad". That's not what I said. 

I said that a user vs root distinction is bad, that means you can still
give users separate desktops and preferences (even installed software),
and have those desktops and preferences protected by a password if you so
wish.

But it's also worth making sure that this system is easy to work around
for the cases where you want to share stuff. Windows and Mac hack around
this with fast user switching and globally shared drop-box areas. I'm not
sure that's a great UI but I guess it's servicable.

> I don't like root itself - it's way too black and white, "unprivileged"
> and "all privileges."  Separating users and giving them different access
> levels is a must.  Simply making it a "user can do X or can't do X"
> isn't enough, either.  Even with a fast user switching system, if I had
> to log into a whole different account on, say, my thirteen-year-old
> sister's computer in order to make some small change that's necessary,
> versus just entering an an admin password, I'd be rather perturbed.

The point is in a family/home environment you wouldn't *need* to switch
accounts or enter passwords. Your little sister would be able to make the
change from her own account.

Now if you think your little sister cannot be trusted with that level of
access then this is a different issue - if she's just inexperienced
we need a better desktop, if she's deliberately malicious maybe my
original idea (which is overly simple I admit) needs adjusting so by
default users are trusted then you can mark particular accounts as running
in restricted mode or whatever. That's not user vs root though. That's
lots of users all with the equivalent of root access, except one or two
that are limited in arbitrary ways. 

> There is no ideal security.  In some places I don't want separate users,
> in some places I want to have a super-user, in some places I want a
> password for each distinct task, in some places I want to assign
> privileges to accounts, etc.  Letting the system be setup to the actual
> needs of the administrator (be that a corporate network or a tech-savvy
> big brother) should always be possible.  Trying to come up with some
> all-encompassing claim of "home users don't need it" or "we should only
> support perfect security" just makes the system unusable to everyone
> between the extremes.

Ah well now you're saying that every computer should have an
administrator. That's fine for homes with geeks in. For single user
machines or homes without any geeks at all in, that's the wrong approach
to take: if I had a pound for every time Windows XP Help has told hapless
users to "Refer to your system administrator" then I'd be a rich man :)

>> It's no accident that Windows 98 and MacOS Classic have no security. It's
>> because for the market they were designed for - home users - it wasn't
>> needed. Windows 98 implemented some simple user separation but it
>> certainly did *not* prompt you for a password to change the date/time, or
>> install new software. That's because there's no point in requiring a
>> password to do it, as the user is guaranteed to know it.
> 
> Again, that was a dumb decision on the part of the Win98 designers.  We
> *definitely* had a use for limited user-separation.  WinXP was a
> blessing for my family, because it meant we didn't have to reinstall
> certain two computers every couple months.

Windows 98 *did* have limited user separation. You could create multiple
accounts, it had a login screen etc. What it didn't have was industrial
strength multi-user security: the multi-user support was a convenience for
those who wanted to separate out their setups not a replacement for a
managed network.

I'm saying that sort of security setup was ideal for the common use case
of a single user/family setup.

>> MacOS X has an Administrator/User distinction because Apple realised
>> that OS 9 was rubbish and they had to do something about it quickly.
>> Writing a modern desktop OS from scratch is close to being economically
>> impossible these days, so Apple did huge code imports from NeXT and
>> FreeBSD. With these imports came the UNIX security model, which lacking
>> any better ideas (and lacking time/manpower) seemed an improvement over
>> nothing at all.
> 
> Er, don't take this the wrong way, but... do you have any proof on that,
> or is that just speculation?

OK it's just speculation. I know (well am 99% certain, as much as you can
trust stuff you read on the web) that there are things in MacOS X that
were known to bad poorly designed or defective (like the Mach-O ABI) but
weren't replaced with something better because they had limited manpower.

If you were designed MacOS X what would you have done? Windows does root
vs user, Linux does root vs user, you have a huge FreeBSD userland you
just imported ... it's the natural direction to go in right? :)

thanks -mike