Originally: Re: Fedora usability : a new project? (Rick Stuart)
From: Rahul sundaram@redhat.com
Rick Stuart wrote:
I welcome this idea! I have asked many folks about what they like and dis like about Linux and I only get prejudiced statements. If you sit someone ( a familiar and comfortable user of Windows) in front of your pride and joy 64-bit Fedora Core 5 install and invite them to try it out, they will fail to see any value. If you help them find their way to stuff, they will certainly hit a brick wall that you have to fix by opening a terminal window, and then it's all over.
Here are a couple of suggestions:
Provide an option to configure users with sufficient privileges so that they can enter their OWN password for administrative access instead of ROOT's. ( /usr/bin/system-config-* linked to "consolehelper" ) For a good model, check out UBUNTU......sorry about your toes. Something like /etc/consolehelpers a-la /etc/sudoers.
That isnt really a good model.
https://www.redhat.com/archives/fedora-extras-list/2006-July/msg00814.htm
From: David Nielsen david@lovesunix.net
PolicyKit should provide this functionality the right way. I don't know if we have an ETA on this being useful but I would rather wait for a proper fix than use priviliage escalation that can introduce problems like horrid security . having to audit half a million lines of GTK+ code because it now runs as root and any slight bug could take down the system is my very definition of not funny.
PolicyKit looks interesting based on the discussions Rahul included. Correct me if I got it wrong, but would PolicyKit allow an administrator to set people up so they can do certain things as administrators (like mounting a disk) ? It looked like the user gets no challenge for authorization if they are set up to be able to do that. I actually think that is a problem. I think that when someone is executing with root privileges, they should be aware of it and consider whether they meant to do that. That is why I suggested a [SUDO]consolehelper. I am assuming that Rahul was referring to that as being a bad model. I agree that giving everyone this ability like UBUNTU does it is a problem. However, I do not agree that setting policies for a user and not reminding him/her what their action implies is any better.
In our corporate Windows world, we can set domain policies and local policies that give people more administrative rights. We then invest much more support time trying to unravel what they accidentally did because they had elevated privileges and got no warnings when they mis-stepped. Our Linux desktops have very few such problems even though we have a fairly large number of "sudoers" who can do root level tasks, but have to do so intentionally. These sudoers don't need or want the root password, but they can do their jobs without problems as long as they know the CLI commands to do it. We have started reducing Windows users default admin rights and force them to intentionally (and temporarily) elevate themselves to do admin tasks. The biggest problem is the fact that they have to log out and in to get the elevated rights on Windows.
Note also that MicroSoft has started popping up a lot more warnings asking people if they REALLY want to install the Trojan binary. People hate it, but what can you do?
I realize this may fit better in a security discussion, but I consider it a basic usability issue so I am throwing it out here.
Thanks,
Rick
Hi
PolicyKit looks interesting based on the discussions Rahul included. Correct me if I got it wrong, but would PolicyKit allow an administrator to set people up so they can do certain things as administrators (like mounting a disk) ? It looked like the user gets no challenge for authorization if they are set up to be able to do that. I actually think that is a problem. I think that when someone is executing with root privileges, they should be aware of it and consider whether they meant to do that. That is why I suggested a [SUDO]consolehelper. I am assuming that Rahul was referring to that as being a bad model. I agree that giving everyone this ability like UBUNTU does it is a problem. However, I do not agree that setting policies for a user and not reminding him/her what their action implies is any better.
Administrator can set policies for users to limit or allow tasks such as mounting a disk. Administrator can set local policies to be as restrictive or as lenient as they want.
Rahul
On Thu, 2006-08-10 at 13:41 -0500, Rick Stuart wrote:
Originally: Re: Fedora usability : a new project? (Rick Stuart)
From: Rahul sundaram@redhat.com
Bringing davidz into the discussion if he hasn't been tracking fedora-desktop-list at all...
David, look below :)
Dan
Rick Stuart wrote:
I welcome this idea! I have asked many folks about what they like and dis like about Linux and I only get prejudiced statements. If you sit someone ( a familiar and comfortable user of Windows) in front of your pride and joy 64-bit Fedora Core 5 install and invite them to try it out, they will fail to see any value. If you help them find their way to stuff, they will certainly hit a brick wall that you have to fix by opening a terminal window, and then it's all over.
Here are a couple of suggestions:
Provide an option to configure users with sufficient privileges so that they can enter their OWN password for administrative access instead of ROOT's. ( /usr/bin/system-config-* linked to "consolehelper" ) For a good model, check out UBUNTU......sorry about your toes. Something like /etc/consolehelpers a-la /etc/sudoers.
That isnt really a good model.
https://www.redhat.com/archives/fedora-extras-list/2006-July/msg00814.htm
From: David Nielsen david@lovesunix.net
PolicyKit should provide this functionality the right way. I don't know if we have an ETA on this being useful but I would rather wait for a proper fix than use priviliage escalation that can introduce problems like horrid security . having to audit half a million lines of GTK+ code because it now runs as root and any slight bug could take down the system is my very definition of not funny.
PolicyKit looks interesting based on the discussions Rahul included. Correct me if I got it wrong, but would PolicyKit allow an administrator to set people up so they can do certain things as administrators (like mounting a disk) ? It looked like the user gets no challenge for authorization if they are set up to be able to do that. I actually think that is a problem. I think that when someone is executing with root privileges, they should be aware of it and consider whether they meant to do that. That is why I suggested a [SUDO]consolehelper. I am assuming that Rahul was referring to that as being a bad model. I agree that giving everyone this ability like UBUNTU does it is a problem. However, I do not agree that setting policies for a user and not reminding him/her what their action implies is any better.
In our corporate Windows world, we can set domain policies and local policies that give people more administrative rights. We then invest much more support time trying to unravel what they accidentally did because they had elevated privileges and got no warnings when they mis-stepped. Our Linux desktops have very few such problems even though we have a fairly large number of "sudoers" who can do root level tasks, but have to do so intentionally. These sudoers don't need or want the root password, but they can do their jobs without problems as long as they know the CLI commands to do it. We have started reducing Windows users default admin rights and force them to intentionally (and temporarily) elevate themselves to do admin tasks. The biggest problem is the fact that they have to log out and in to get the elevated rights on Windows.
Note also that MicroSoft has started popping up a lot more warnings asking people if they REALLY want to install the Trojan binary. People hate it, but what can you do?
I realize this may fit better in a security discussion, but I consider it a basic usability issue so I am throwing it out here.
Thanks,
Rick
Fedora-desktop-list mailing list Fedora-desktop-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-desktop-list
On Thu, 2006-08-10 at 16:48 -0400, Dan Williams wrote:
PolicyKit looks interesting based on the discussions Rahul included. Correct me if I got it wrong, but would PolicyKit allow an administrator to set people up so they can do certain things as administrators (like mounting a disk) ?
Yes.
It looked like the user gets
no challenge for authorization if they are set up to be able to do that. I actually think that is a problem. I think that when someone is executing with root privileges, they should be aware of it and consider whether they meant to do that.
First off, "executing with root privileges" may be the answer today, but it's not really what we want a desktop app to do. We want an app to be able to do very specific and confined tasks such as "mount a removable disk", "format a fixed disk", "configure a modem", "set the timezone", "upgrade OS with trusted packages", "install new trusted package", "install new untrusted package", whatever.
If we can engineer our applications in such that it's this fine grained the chances of them doing bad things when compromised are slimmer than if they run with root privileges.
So, the whole idea of PolicyKit is to split privileged apps into two parts - the UI shell (that runs unprivileged) and a privileged part that allows the unprivileged bit to call very specific methods if the caller has the right ''PolicyKit privilege''.
If the caller haven't got the required privilege (for, say, changing the timezone), he may be able to prompt for it and this requires authentication, either as the super user or as the regular user.
That is why I suggested a
[SUDO]consolehelper. I am assuming that Rahul was referring to that as being a bad model. I agree that giving everyone this ability like UBUNTU does it is a problem. However, I do not agree that setting policies for a user and not reminding him/her what their action implies is any better.
I will state that consolehelper, and for that matter the scheme Ubuntu and the rest of the distros are using, is just badly broken since it makes an X11 application run as root. Yet, we still see new crap being added to the distro that does this. Hopefully (I'm an optimist by nature) that will change when we add PolicyKit to Fedora early in the FC7 timeframe (I think it's already in SUSE btw), but I'm not holding my breath so to speak - there's a lot of work left...
Also, see this presentation
http://people.freedesktop.org/~david/talks/system-integration-and-gnome-guad...
for the bigger picture. See
http://webcvs.freedesktop.org/hal/PolicyKit/doc/spec/polkit-spec.html?revisi... http://webcvs.freedesktop.org/hal/PolicyKit/doc/spec/polkit-arch.png?revisio...
for more details on PolicyKt.
David
desktop@lists.fedoraproject.org
-
Dan Williams -
David Zeuthen -
Rahul Sundaram -
Rick Stuart