"others may have real-world business related concerns for heightened security on their laptops"
So while you are logged in and want to add a printer the need for root will increase security?.
Linux creator Linus Torvalds has issued a rare public spanking for openSUSE after falling foul of its security procedures. Torvalds has posted a rant on Google+ about his experience installing openSUSE on a MacBook Air. The installation requires the root password for many functions and he went to the Bugzilla thread to argue …
I would have thought that you could grant or deny add printer as a right to the user in much the same way that you can on Windows or MacOS (AFAIK). I can certainly see how adding an unauthorised printer to print off a confidential document could be seen as a security breach.
Certainly every corporate environment I've worked in has only allowed specifically approved printers to be added.
"I can certainly see how adding an unauthorised printer to print off a confidential document could be seen as a security breach."
If we're talking about SELinux, then sure I'll buy that. Might as well require root for a thumb drive too then.
...but we're not talking about SELinux are we?
The cure for this would be.....
Durring the install process the installer will be pressed for an install choice.
HOME SCHOOL OR BUSINESS.
HOME users can install most device drivers with almost no supervisor needed.
SCHOOL will most likely need an admin nearby.
BUSINESS will need 100% admin support all the time for any install.
@Lars - "So while you are logged in and want to add a printer the need for root will increase security?"
Clearly, neither you nor Linus has any idea how YaST works on SUSE to control access to hardware and network services. You're not "logging in as root" in order to add a printer. You're being asked to give YaST a password to prove you have the correct administrative rights to carry out the function.
"You're not "logging in as root" in order to add a printer. You're being asked to give YaST a password to prove you have the correct administrative rights to carry out the function."
That may be all good and well, but by no means should it be the root password to do it. There should be a separate administrative level password for authorizing such things, that doesn't give the user full and complete unrestricted access to every level of the system.
And, for that matter, since when has sudo and it's myriad possibilities for fine-grained access control over which bits can run with elevated privileges become poison? (There's lots of rants out there covering why sudo (configured to provide access to everything, often without demanding passwords) is bad,, but I've yet to hear of a credible reason for not using it sensibly configured.
(And, frankly, if you're going to send your own daughter off to school without the root password to her own laptop, you deserve all the support telephone calls you get. Didn't you teach her not to be an idiot, Linus?)
> You're not "logging in as root" in order to add a printer. You're being asked to give YaST a password to prove you have the correct administrative rights to carry out the function.
Which means, in real terms, that you are logging in with admin rights. Possibly as root, even, depending on your settings. It's not just "giving YaSt a password". It is "allowing YaST to log in as root on your behalf". Funny how some GNU/Linux users have litterally no clue on how GNU/Linux works.
@ElReg!comments!Pierre - "Which means, in real terms, that you are logging in with admin rights. Possibly as root, even, depending on your settings. It's not just "giving YaSt a password". It is "allowing YaST to log in as root on your behalf". Funny how some GNU/Linux users have litterally no clue on how GNU/Linux works."
It's like trying to describe a Victoria's Secret catalog to a bunch of blind men. YaST is a config tool, it's not a separate log-in. It's no more of a separate log-in than using a tool in the Gnome Control Panel. If you had ever tried to use SUSE or Mandrake, you would know exactly what I'm referring to.
Whatever, Linus is right (mostly).
IF you have a user who has physical control of a laptop and is allowed to take it outside specific guarded premises (which is usually the case)
THEN it makes sense for the default distro setup to allow users to connect to other wireless networks/ printers to use the bloody things without requiring root
ELSE you have a special case and should have an IT team that properly configures user permissions and groups for what you need
But I don't agree re changing the time. Users should be able to change their time zone freely but not the time itself.
I agree that these things should be possible without requiring root but I am not sure it makes sense for this to be the default state of the distribution.
I think your ELSE case is the correct default for a secure operating system - the THEN case is for something like Windows where there's greater compromise between security and convenience.
(Or is this distro supposed to be more like that? I don't actually know where it is positioned in the market.)
> If you had ever tried to use SUSE or Mandrake, you would know exactly what I'm referring to.
I know exactly what you are referring to. "log in" just doesn't mean what you think it means. For example on this machine I am at the moment concurrently logged is as 3 different "users": my main account, root (because I was fiddling with stuf earlier and forgot to exit the su in thaty console) and a user account I use for side projects (with different settings). All in the same X session. I am also looged in as the FTP user but that's in another virtual console, as there is no need for a graphical display for this and I can just type ctrl-alt-F2 whenever I want to check the logs of the FTP server.
That question is only tangential to the problem anyway.
I see your point about WLANs, though I think that might be crossing the security vs convenience line a bit. Think of the businessman on the road who needs to connect to the hotel's wireless. He's not able to do his job unless the admins have equipped him with the root password, which means he's capable of far more damage than a man-in-the-middle attack.
As for printers, I can't concieve of a realistic situation where connecting to a printer is dangerous. In the few unrealistic scenarios I can think of Linux wouldn't be vulnerable in any case since it doesn't typically allow autoruns (though it can be forced to).
When connecting to a printer, it is just plain stupid requiring a root password. As far as problems in connecting to a wireless network, just requiring a root password to connect is not going to prevent many problems. The security of the network is a problem of the network security people, not necessarily the computer just trying to connect to the network. If the problem is a virus/trojan that causes the pc to connect to any/specific wireless network, the pc is already compromised. I think that Torvalds is correct in his criticism
(Part 1 of 2 due to 2,000 char limit)
As for wireless or any network default settings of a Linux distro, the basic firewall settings should work something like speech software training: user randomly goes to a handful of personal favorite sites. The firewall would do reputation checks. The user would either accept the firewall suggestions or manually override one by one, not blanket.
Then, as inbound connections happen, the user would selectively allow or selectively deny page connections, cookies, clear gifs, 1-pixels/crawlers/other crap, and then build an interactive firewall tool far easier than anything to date seen in a Linux distro.
The firewall tool suite would include multiple tool choices and include Intrusion Detection Systems, and some pattern-matching tools so that users can apply system-wide or guest-user restrictions.
As to printers being not too dangerous, what about those with USB and other media ports? IF system security is by default too low, then simply plugging in a media card/stick/device might cause limited or pervasive damage, possibly not detected until one or more things go wonky/bonkers.
As for passwords to change the time, remember the days when right-clicking on an admin-controlled windows XP or W2K machine meant one could not even access the Calendar simply because the tiime-setting features and other Control Panel items were blocked? That alone was justification for drawing and quartering one or more ms project managers/programmers and made me blow gaskets multiple times over the years. Seems ms learned or had a change of heart, since then, or I've been using machines that have not been subject to so draconian a set of admin constraints.
Part 2 of 2:
As for connecting to WiFi and other nets, just being "visible" to one of those means some loss of privacy and some possible vector of tracking by outside parties. If one can seamlessly move from place to place and just ad hoc join a wireless net, and the machine's ID and other sublayers are not randomly changed with user security/privacy in mind, then Google and others will continue to offer products or make their own tools to hunt/suss/monitor users' movements.
For my laptop hardware, I tend to rip out the antennae and use an external one I can physically disconnect, in a hope to deny undetected ACTIVE intrusion attempts. I cannot easily stop passive sniffing, but I feel I have the moral and personal right to kneecap ANYone who tries to access my personal property after seeing a "Do not enter" sign. With laptops, phones, and other computers, it should be universally accepted that "YOU DO NOT ATTEMPT ENTRY". If you do, you BETTER have an iron-clad, judge-approved-case-by-case warrant. Otherwise you deserve to be kneecapped or finger chopped. I also feel I have the right -- if i choose to exercise it -- to honeypot and contaminate my machine such that any probing by outside parties will infect them. It would be like a woman (or male) inserting a hidden needle or razor to punish a rapist who manages to make forced insertion. Yes, there may be blood from and in both parties, but the assailant is ultimately the one deserving to be swiftly punished or neutered. PERIOD.
> Think of the businessman on the road who needs to connect to the hotel's wireless. He's not able to do his job unless the admins have equipped him with the root password
openSuSE has 2 different methods of setting up networks.
The first one is the traditional method that requires root access. This is the default setting when you install.
The second is using NetworkManager. This one allows users to connect to networks without needing the root password.
As for printers, there is a setting that tells openSuSE to automatically detect, install and configure any printer plugged into a USB port.
Not exactly true. The default in NetworkManager is the require the root password for new networks. In fact it may even prompt you for the root password each time you log in. 12.1 also had a bug whereby it would not accept the password the first time you type it and prompt you for it a second time.
Another bug would prevent NetworkManager from connecting to any wireless network and require you to log out and back in if the last time you shut down Firefox or Chrome were not closed first and then opened as soon as you logged back into the machine.
I cant complain about Linus having a problem with the current insanity that is OpenSuse. If his experience is anything like mine,the root password issue might have been just the straw that broke the camels back.
I can think of at least one realistic scenario that is potentially dangerous, especially if you recall that you need to go through the same steps to add a networked printer. It involves the perp tricking the user into adding a networked printer that is physically located in the lair of the criminals.
Actually, installing wireless w/o root is hard to imagine for way too many a reason (incl changing the rooting tables). Changing date/time w/o root is very very very big NO NO. It can wreck havoc and please install ntp for that matter.
On a flip note:
I have some positive experience w/ Suse installing it on my father's laptop (a present to him) as it can w/ the laptop itself I didn't bother w/ Ubuntu (or God forbid Windows). He is a complete noob when it comes to computers - hard to play even a video on youtube and hates newly opened windows that ask questions. Yet, overall he manages to enjoy and use the laptop.
Exactly, SUSE might have some default settings where a new user did not have these rights which is pretty strange. Not that it was hard to set up for Linus. Switching from Fedora to SUSE does not seem to be easy for him.
On the other hand, such security measures are too drastic, does the installation require bios/grub passwords, encrypted hdd?
But.... I thought that we wanted people to use Desktop Linux in the home. Which means, that they should be able to do XP-Home-y things like connect to a friend's wireless, or print on a printer.
Since Linux has supposedly got the security thing right, it should be possible to use your laptop for useful stuff and yet not leave it open to being pwned.
So Mr Torvalds is right. The designers of the UI experience in OpenSuse haven't got out of their dorm-rooms and offices and thought about real consumer use of personal computers.
You know that Linux is just the kernel and openSUSE is the OS? This is a detail the MSM doesn't get right very often.
I think it is good that Torvalds bothers to load other's distributions rather than roll one of his own. But he wouldn't have had this problem in the first place had he left MacOS X alone on the Air. He should spend more time with MacOS X. Without MacOS, Linux distributions and Microsoft would be out of ideas.
"Yes and Mac OS is just BSD UNIX with apple-sauce on top."
Which is possibly why it is so good, a real UNIX and not some rehash by a load of variable quality "contributors".
I worked for a while with someone who claimed to have got a bug fix for the ext2 file systems accepted. I have had to correct and extend his code since then; I would not let him provide a fix to "Hallo World".
you know that the only reason apple used bsd instead of gnu linux was because of the licensing? They would not have been able to resell linux but then can make more money from using bsd. It has nothing to do with security or stability.
I am so sick of people telling me that osx is so fucking awesome like it's the purest or pure OS's and apple designed it all because they are the bestest.
It's just a flashy interface and some programs on top of someone elses work.
To return to topic, I'm with Torvalds on this, the end user should not need to know the root password in a corporate environment. Not being able to print or join a network without root is indefensible.
"on top of someone elses work.", what the hell does that mean? That's what open source *is*. It's certainly more original than most Linux distributions in recent years you can come up with which are all rehashes of nothing but someone else's work.
Also, nearly every bit apple has taken that is open that they have done something with is available, still open, despite several licenses allowing them to close it.
Same anonymous coward here, another thing that is worth pointing out is the GPL is also a legal nightmare for anyone involved in any proprietary software that they want at the OS level. Every day you have whiners who believe proprietary binary blobs for drivers and the like are in violation of the GPL because they are kernel modules or exist inside them therefore *somehow* derivative works of Linux. The BSD and some projects in LGPL are much more pleasant to integrate into a sold system when the parts used must be meshed with proprietary, it just leaves you with more flexibility.
> whiners who believe proprietary binary blobs for drivers and the like are in violation of the GPL
The kernel sources come with a file named COPYING which explains why binary blobs - although unfortunate - are acceptable as kernel modules.
The biggest problem with the GPL is the number of self-appointed "experts" who don't appear to have actually read the thing. It's not nearly as difficult to use as many would have you believe :-(
> when the Linux kernel gets ZFS
You do know that Sun *intended* ZFS to be GPL-incompatible, right?
> Maybe VLC in the Apple App Store would be good too
VLC could be in the App Store just as soon as Apple stop adding conditions to make their distribution GPL-incompatible.
I think you might be blaming the wrong people...
Dude, its unreasonable to tell apple they must or even should freely provide what VLC was built with. It is their tool, and it is excessively whiny of gnutards to tell apple they have to pull it from their store. Also, the fact that ZFS was intended to be GPL compatible further illustrates my initial point that all but the most ridiculously liberal/minimal licenses dont integrate into the GPL well. If I were to fork the GPL license, and call it the Toggi3 Public License and replaced all instances of GPL with TPL, and that's all I did to it, whatever I released under it would be incompatible with the GPL.
The very wording of the *GPL* isnt compatible with the GPL. :p
> its unreasonable to tell apple they must or even should freely provide what VLC was built with
The GPL is very clear: if you distribute binaries, you *must* distribute source.
It is not at all unreasonable to expect a distributor to follow the licence; anything else is an infringement of copyright.
> the fact that ZFS was intended to be GPL compatible further illustrates my initial point
Now read a little more carefully.
ZFS was intended to be INcompatible with the GPL. This was Sun's intention.
It;s a bit rich to try to blame the GPL for that.
First correction, you mean CDDL. CDDL is a license, ZFS is a file system.
Intentional or not, it's the viral nature of the GPL that is the issue. If it was wasnt for the idiotic scoping and the viral clause maybe it wouldn't be such a nightmare to move between GPL v2 and GPL v3 (nor will it be to move to the GPL v4 when it comes out (and dont even TALK to be about the "vX or later" licensing, you have to be a serious moron to agree to terms that not only have you not read, but haven't even been written yet)).
I can't put GPL code in BSD software (without relicensing the BSD software first). OTOH I *CAN* combine CDDL and BSD code (or MPL code, or even propritary code, the list is as long as my arm), without changing the license on either. This is specificly BECAUSE both are non-viral. Personally, I happen to LIKE the license because of this feature. While I do think you should keep the code *I* wrote open, I dont think it's right for me to dictate to you what you can do with what YOU wrote, just because you built them into a binary.
Yes, you should always respect the license, but badmouthing other licenses because your prefered license INSISTS that it rules the whole binary is whats rich.
"Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. "
Doesn't seem like a problem to me. You choose what version you want to follow, if there is a "any later version" clause. That's a damned sight more friendly than many licenses, and I don't see how the GPL is any worse than spending a lot of time and effort creating something just to have Microsoft, Apple or some other troll tell you it infringes on some imaginary "Intellectual Property" of theirs. You want to call something a virus? Go chat to those nice chappies at Redmond. They've been infecting open source software for years now.
> you mean CDDL. CDDL is a license, ZFS is a file system.
I don't. I mean ZFS.
ZFS incompatibility with anything GPL is by means of the licence- but we were specifically talking about ZFS use in the Linux kernel, which is why I used that term rather than "CDDL".
> Yes, you should always respect the license
Yes, you should.
> but badmouthing other licenses because your prefered license
> INSISTS that it rules the whole binary is whats rich.
But I wasn't badmouthing the licence.
I was merely responding to a claim that it is the GPL's fault that ZFS isn't included in the Linux kernel. It isn't - Sun very deliberately picked their conditions to ensure the situation.
This is unfortunate all round. And this isn't a pop at the CDDL. But it's still a bit rich to blame the GPL for a compatibility issue that Sun *designed in* to their release.
The GPL only has problems co-existing with those companies that go out of their way to make problems. The situation with VLC is a perfect example of this. Apple doesn't need to be jerks about Free Software. They choose to be. They choose to give their customers only one means to install software and then to impose conditions at odds with Free Software.
The GPL is really only a problem with people that have a toddler's view of ownership.
"You know that Linux is just the kernel and openSUSE is the OS? "
No, I didn't, because it's not true. Linux is the OS, openSUSE is a suite of programs which run on top of the OS.
Linux consists of a kernel which, combined with device drivers, makes up an OS. openSUSE certainly includes a few extensions to the OS but the vast majority of it is just ordinary computer programs. An OS is a system which mediates access from such ordinary programs (like Bash or Firefox) to hardware.
If your lecturers told you otherwise, I'd suggest you ask for your tuition fees back.
Nope. If you're going to be pedantic, and you are, what you are talking about Robert is GNU/Linux, although all but the most ardent of Stallmanites drop the GNU part. Linux itself is merely a kernel. All the automagical stuff is handled by the GNU/other OSS projects bits and pieces, including such things as device drivers.
He did not add his daughter to the lpadmin group.
In that case the web interface of cups outright tells you to sod off and the gui/command line tools start asking for root password.
We have all been there :) By default most distros put only the "first" user you add at setup into "power" groups and do not give any extra users you add any of these unless you add them manually. Example - first user on a debian box has powerdev, network, etc by default (not sure about lpadmin, but probably that too). Run an adduser to add your daughter and guess what - she has none of those :)
Where the OS designers have this attitude that users are 'The Enemy' and should be repelled at all costs.
There is no reason why you should have to have elevated access to do add printers or connect to new wifi systems.
I guess the money flowing into SUSE from Microsoft is starting to pay dividends, to wit, make SUSE harder for the end user to 'do stuff' than Windows then the user won't switch away from Windows.
I fully expect that the next version of SUSE will be like Windows 7 and ask for permission to do even trivial things like copying a directory tree.
Don't even get me started about the Windows 'Run As Admin' kludge.
Keep on trucking Linus.
I haven't used SUSE in quiet a while, however, it used to be reasonably friendly without exposing your root passwd to any passing key logger. Never have used it on a laptop though, and never used it on a wireless system either. Linus' complaint makes a lot of sense, but only if distro publishers really want to see their product on more desktops.and laptops.
@Steve Davies - "There is no reason why you should have to have elevated access to do add printers or connect to new wifi systems."
Yeah, what could go wrong, right? Glad you don't work in my IT department:
"Security Risks Of Network Printers
Treat Multifunction Printers As Servers, Not Peripherals
The new features, improved connectivity, and increased complexity of today’s printers are a double-edged sword. Although networked peripherals are undoubtedly more functional and efficient (albeit more costly), allowing devices to be shared by many users, the added capability exponentially increases security risks. What were once “dumb” appliances have evolved into embedded computers, secretly hoarding everything passing through them, often unbeknownst to their owners. "
If Linux suppliers and advocates really want it to become a mainstream system, chosen by professionals and firms, then of course printers and other peripherals must be controlled. This could be a matter of security (e.g. printing confidential documents on a printer in the wrong department or a public area may be thought to be undesirable, or adding a printer with a scanning+email capability, fax ....) or it could just be money: most firms seem to object to unnecessary, or even vaguely necessary printing in colour on cost grounds. So they restrict the use of colour printers.
Of course, at home, the user can take what risks he likes. But a school, for instance, may well object to some smart-alec adding the printer in the headmaster's office and printing his or her sense of humour-inspired work of genius on it. Yes, there are other, more expensive ways, such as smart cards, subnets etc.; but the simplest way is usually the best They may want to prevent the accidental choice of a printer in the school library for confidential letters to the local council.
I suggest that those who think otherwise need to get a job in a reasonably sized firm or institution, with responsibility for budget or security and get burnt a couple of times. Being wonderful at software or design does not make one an infallible expert in the realities and practicalities of life.
> then of course printers and other peripherals must be controlled.
They are unless you configure them not to be and then any user can install a printer.
The same is true of WiFi and networking in general.
As for date and time, this is controlled by NTP and if that isn't available (due to no network) then your computer should be able to keep reasonably accurate time until you next plug into a network.
Linus's problem is that, with the default install, installing printers and networking needs root privileges. These settings can easily be changed so that any user can install printers or set up networking.
This is exactly why I hate changing operating systems. You never know what you are getting into until it's too late. I am not a Linux user but it's even sadder to see that MS UAC is infecting Linux.
I have a nice copy of Windows (Vista Ultimate) slightly used ( just once) because as the primary user/administrator the frikking thing would not let me manage my own damn printer and fax scanner. It got wiped off and reverted to XP Pro that evening. I don't want to upgrade because of UAC crap I have experienced with "Fista". Now Windows 8 will be out and as far as I can see that OS figures I am a 3 year old handicapped kid.
There should be a way to reliably provide the user of his/her own computer the ability to do what they want with their property without all of these stupid, complicated permissions malarkey.
An installation proceedure that says "Operate Like XP Pro" & "User is Admin".
I understand if the computer is not your own and there is a business to protect. But it's my PC not anyone elses.
The same goes for UAC telling me "do I want to trust this program I am starting?" If I load a program on my computer (in person with all of the proper clicks), the rest of the software should just STFU and quit complaining or blocking the program or not showing it in the start bar (just because it's not made by MS, so it can't be trusted).
If something happens and I am not there to click it's "Okay" then security software should do it's job and prevent the install.
However, If I am "at the wheel" please stay the hell out of my way.
Perfectly possible in Se7en. Just go into the UAC settings and drag the slider all the way down to the "knickers round ankles" setting.
Then it'll happily let you go to hell in a bucket without complaining, just like XP.
Actually I rather like the way that UAC works by default. As admin, I get prompted for my OK when sensitive things get touched by something I'm doing. Grunt users (i.e. the kids) need me to authorise installs / changes etc. I did hear that it was fubar in Fister, one of the reasons I avoided it.
"I have a nice copy of Windows (Vista Ultimate) slightly used ( just once) because as the primary user/administrator the frikking thing would not let me manage my own damn printer and fax scanner. It got wiped off and reverted to XP Pro that evening. I don't want to upgrade because of UAC crap I have experienced with "Fista"."
Really, if turning off UAC under Vista (a simple checkbox) is too complicated for you then maybe you should refrain from using computers at all? With UAC switched off Vista behaves like XP and runs everything which the current user privileges allow.
"There should be a way to reliably provide the user of his/her own computer the ability to do what they want with their property without all of these stupid, complicated permissions malarkey."
Well, we went there, and the majority of users have proven to be too moronic to handle their own PCs and prevent it from becoming members of a botnet.
"I am not a Linux user but it's even sadder to see that MS UAC is infecting Linux."
It isn't. In fact, this was first seen on Apple's Mac OS X.
Listen "davidoff" you pedantic, pompous, sarcastic twat, that night I was 3 hours on the phone with MS tech support TRYING to keep functionality of UAC and still allow me to configure the PC to do what I wanted. MS Tech Support threw up their hands and apologized becuase they could not help me fix the problem without suggesting a complete reinstall. I got the copy of Ultimate Vista from a buddy who worked for MS the same month it came out.
And by the way in the first version of Vista (no service packs) UAC was completely and utterly f*cked up and could not actually be "turned off" as it still acted to prevent people from doing what they wanted to do. That is the problem I experienced and MS could not solve.
Perhaps you should make some attempt to be less of a prick. I pity the people who have to work with you.
As far as ever having any rootkit or other computer virus infections, I have been free of that crap for almost 10 years now using nothing but freeware programs.
"I guess the money flowing into SUSE from Microsoft is starting to pay dividends..."
SUSE doesn't need any help from Microsoft to make Linux harder to use. They have legions of religious fanatics who were working on making Linux harder to use for two decades. They keep designing for other Linux users than for other regular users.
"Don't even get me started about the [s/Windows/Linux] [s/'Run As Admin'/'su'] kludge."
Since when was BSD "Fisher Price"? Sounds more like Linux. You do realise you are dismissing an OS older than you are and the basis of more OSs than you know exist, including most of the secure and high performance UNIX implementations, the one on variants of which many of the standard tools such as ssh(1), DNS, CUPS and others were developed?
Get a life, get an education, get experience, get a Mac, discover the terminal mode and a decent shell such as ksh or tcsh, then come back with your ignorant comments when you have got some experience - and study some technical history and something other than a home Linux system.
Oh, I know, you think the GUI is the operating system and shell. Oh dear.
And he just needs to 'shut up and hack'. He is terrible at speaking and should just keep his mouth shut. He is egotistical on a level I never thought possible, I mean what kind of ego would you need to name an OS* after yourself and promote it without shame?
*or kernel or whatever you want to classify it as.
I had to give my wife the root password in Fedora 16 w Gnome 3 because she couldn't change her regular user account password. The bloody user account settings app requests root password in order to let you in.
I've also noted that some apps are happy with your sudo password while others require no less than the original root password which makes sharing a computer impossible without sharing the root password. On the command line it's ok to setup and use sudo but not when you use GUI.
after reading that I was talking about Fedora which is not using Yast (this means after posting your reply). I repeat, you should not be asked for root password in order to be able to change your regular user account password, your old password should suffice. Even Microsoft knows that.
Any regular user can change HR's printer to be the one in their office?
Any user can change the date/time
And this is supposed to be a secure OS?
Of course Windows is better. On Vista if you skipped to the next month in the date/time control to see what day the 1st was it actually changed the system date and then changed it back! Good job nobody would be running anything important on Vista
Changing printers on a print server to redirect output to another location is a bit different to using a networked printer, isn't it?
With my notebook I use printers at home, in the office and in copy shops. Ok, I have the root password, but my niece hasn't and she has the same problem Linus daughter had.
With OpenSuses default policy you need the root password, even for sudo!
The genius of loudmouthing? He's usually got a point, but that doesn't automatically a genius make. Neither does just happening to come up with something that turned out hugely popular at just about the right time. If not for accidents of history and attitude, some other system might have taken the popularity cake. I say this as someone who uses various unix systems (typing this on a linux, next time it might be something else) and not to slag linux or linus. The guy's just this highly opinionated techie with massive standing in his own community. That is most of it.
As to needing root passwords and all that, I can see where the requirements come from, I can also see why you'd like your printers and wireless networks locked down, like in a managed environment, and I can see why you'd like them not locked down, like laptops that're expected to need to add such things "temporarily", as the need arises.
Requiring or not requiring, neither are solve-alls. You'd have to be able to turn that requirement off for certain installs, and on again for others. Just slamming either is not particularly constructive, if a very clear signal it's not living up to someone's expectations. Not the first time he's done that either. Not really newsworthy in that sense. But hey, it stirs up the tribe. What fun.
> You'd have to be able to turn that requirement off for certain installs, and on again for others.
Polkit - which I believe is in OpenSuse - does exactly that; fine-grained policy control over loads of stuff.
Unfortunately, the configuration system stinks. It *really* needs a tool, but I'm not aware of anything other than a text editor at present :-(
I wasn't aware of this thing but it's been clear to me that a lot of newfangled (sub)systems in the linux arena, especially those dealing with providing abstraction sauce for "desktop use", tend to be big on bandwagoneering like "using xml for configuration" because, er, that's such a good idea.
The downside? It's become impossible for the casual user or even casual admin to configure the thing. The resulting desktop has become a bewildering array of various little pieces that together make as much sense as a registry dump. It's probably "obvious" for those familiar with their little pieces of the puzzle, but it's become undecipherable for people who aren't intimately familiar with each and every subsystem. And a mere text editor is no longer enough to deal with the mess. That's a bit of a deviation of the old unix philosophy, and a fairly sad development.
And the landscape is becoming littered with the dead corpses of previous incarnations of these tools, abandoned because their creators got bored, or couldn't be arsed to make the new version compatible with the old version, or DeadRat decided they needed to increase their product support income steam, or all three.
>It *really* needs a tool, but I'm not aware of anything other than a text editor at present :-(
Which is bad, why?
See icon; more seriously, one of my major gripes with some distro is the lack of text-editor-friendly configuration files. Not everyone is a point-and-drool user. I like to break my systems manually (preferably with Vi or one of it's derivatives, but any editor will do), thank you very much. There's even a good reason for that seemingly masochistic stance: have you ever tried to manually recover from a major system failure when all the meaningful stuff is in binary format? I guess so. Me too. It's almost always faster to nuke everything and reinstall from scratch, which means data loss.
(that's including some Linux distros; some of the Linux-based stuff out there makes MSWindows look good, honest. Last time I had to get down and dirty with Windows -which was with the most-hated Vista-, a lot of base-level problems could still be fixed with a text editor).
Then again, I suppose a GUI tool could be made that only manipulates text files. But that would be encouraging laziness. And it would drive the makers or the "#" key out of business.
> Which is bad, why?
Because there's quite a steep learning curve to mastering polkit.
Yet this is something that neophyte admins *should* be getting on top of; the alternative is, as we've seen, excessive sudoers permissions or just handing out the root password. polkit is a good way to handle fine-grained permissions, but it needs quite a bit of knowledge before it becomes even slightly useable.
> one of my major gripes with some distro is the lack of text-editor-friendly configuration files.
I'm completely with you there. gconf is one of the worst things that's ever happened to a *nix box.
> I suppose a GUI tool could be made that only manipulates text files.
That's exactly what I was suggesting. I probably should have been more explicit :-)
> But that would be encouraging laziness.
To an extent.
I see most of these tools as training wheels; once you've got the hang of what needs doing, you tend to go straight for the config file, because it's easier. But in the early days, that's just too much complexity for a bear of very little brain, such as myself.
So the tool is useful for getting to know the system. After a while, it becomes surplus to requirements.
"I see most of these tools as training wheels; once you've got the hang of what needs doing, you tend to go straight for the config file, because it's easier. But in the early days, that's just too much complexity for a bear of very little brain, such as myself. So the tool is useful for getting to know the system. After a while, it becomes surplus to requirements."
Fair enough; what is missing in that case is probably a better documentation, though, not a GUI tool. There are a number of problem with GUIs; the biggest one is that they usually rely on a specific backend, and thus a fairly minimal tool may force you to install very big libraries that may or may not even be available as binaries for you system (not to mention the wasted ressources, compiling a GUI backend from source is not very hard but not very n00b-friendly, rather defeating the purpose of the tool in the first place). The second biggest is that it takes more effort than writing a text-format documentation, possibly with examples, which is guaranteed to "work" on any system.
> what is missing in that case is probably a better documentation
> a fairly minimal tool may force you to install very big libraries that
> may or may not even be available as binaries
Sit something on top of libglade and there's a pretty strong chance it'll be available on the sort of system we're talking about.
> it takes more effort than writing a text-format documentation
That's true, but these aren't mutually exclusive options. Learning the text-based config is clearly the better option, but I still believe a GUI tool to manipulate those files has its place. Perhaps I'll write it.
Yes - but locking down printers and wireless networks is not the same as locking down a laptop so they cannot access them without local root privileges.
It makes absolutely no sense. The default setting should allow a standard user to connect without root; then if doing an enterprise deployment, the sysadmin should remove unprivileged users from the printers/network group.
Permissions should be done with group privileges, not the root password.
@Linus - ""If you have anything to do with security in a distro, and think that my kids (replace "my kids" with "sales people on the road" if you think your main customers are businesses) need to have the root password to access some wireless network, or to be able to print out a paper, or to change the date-and-time settings, please just kill yourself now. The world will be a better place," he said."
- Yeah, that's going to help me a lot to sell hospitals on switching to open source. Thanks Linus - you and RMS make for a couple of completely useless ambassadors for all these great products.
Linus is right - you're installing a GUI based OS, it should come with sane default access rights.
"Bypass code"? WFT? OS is supposed to beinstaaled by regular users. What i (a sysadmin) do on mys laptop (disable network manager period!) should not be a model and should not be default. Same thing with wi-fi - i start it from comman line with root previliges - not a right thing to do for a regular user who shouldn't even have to touch command line...
Linus' position on that is that by default, as the operator of a laptop, you have console access. The DEFAULT behaviour should allow you to do something as simple as connecting to Wifi. Enterprise requirements to lock-down devices should be an easily settable option, BUT NOT THE DEFAULT.
As above, in the Context of a SERVER, fiddling with the timezone is a bad thing for normal users to do, but with a LAPTOP, the person sitting in front of it could wipe the OS if they want to, because they hav console access. Again, with a laptop, the user can travel, and should be able to change it. If you want to lock down a fleet of laptops, then it should be the non-default option.
I think the main point of Linus' rant is that the people setting distro security policy need to think differently (from the old "?n?x is a multi-user server system") as more and more users are everyday people with desktops and laptops. I think simply allowing some special privileges for sessions at the hardware console could elegantly solve both issues - laptops and desktops would be more forgiving for the person sitting in front of it, and servers would similarly when the admin was standing at the front of the rack. All remote X desktops should be a little more paranoid.
Then why during the installation did Linus not choose the appropriate options?
For network administration there are two options given. One is "system" administration, which requires root password or sudo permissions (wheel group) to modify. The other is "user" , which gives the user the ability to choose the connection, etc. normally from a GUI "widget". Both options are available during and after installation. If the initial net connection is via ethernet ,or absent, the former will be preselected. If a wireless connection is available the latter will be preselected.
The installer/admin can choose between three pre-configured security models easy..paranoid apart from custom settings. This includes the default configuration for a new user.
SuSE/openSuSE has always been a more professional/business oriented distribution than the hobbyist/MS user-friendly Ubuntu. You choose horses for courses.
Generally if you plug in a USB printer or scanner it will just work. Adding a proprietary driver or network printer for the first time will require membership of the appropriate group or a suitable policy configuration.
Almost all of the "it should" remarks by previous commenters is how openSuSE actually works, unless the non-default options are chosen when installing.
I think he can not have meant that. So, I think, oh, want to be in sync with my friend in Timbuctoo, let's change the system to Timbuctoo time. My wife, son, whoever, logs in to the system, with their own UID and finds the date command and display is "wrong" and dates their files etc., date macros etc. wrongly, breaks make(1) ....
This is a UNIX look-alike. Never heard of the TZ variable? In your own environment you can set that to provide any time zone you like, including one of your own devising, while leaving the system default hopefully set by NTP with a system default time zone, in good order for other users and system programmes that are a bit fussy about time stamps, such as incremental back-ups.
Of course you may have to learn about the shell and so on. But then if you are going to fiddle with system time, one hopes you have done this already, even if you were once an innovative rewriter of a kernel (design was old hat and even the concept of reimplementation had been covered by Minix and others).
Torvalds is correct. This will most likely evolve into another ongoing train wreck.
If a large corporation issues 500 identical laptops to 500 different employees, then will the IT department wish to institute a unique root password for each one? And "push" another unique password to each one at six month intervals? How about a company with 10,000 company issued mobile devices? Or 120,000? How many times will the IT department be getting after-hours calls from employees who wish to print a document from home, or attach their company issued mobile device to a home or coffee shop access point? How many employees will change the root password to something they will like better than the company issued password? (I've already done this myself, to my company issued laptop running Windows 7.)
Oh? Shall we make it a termination level offense for employees to work around the root password security architecture? OK, then... How many employees will cease to do a lick of productive work after they go off-site?
Ask yourself why your birthday, physical mailing address, mother's maiden name, first pet's name, etc, etc are no longer considered adequate secrets for proving ownership of many online financial accounts. (Hint: It isn't because your Mother or your spouse was a security leak, and disclosed these factoids to a total stranger down at the pub.)
And as for the individually purchased mobile devices which are NOT company or school issued... How many people will simply use the root account for everything? As many do today, with Windows 7?
The folks who think that an operating system architecture like this one will enhance computer security are likely the same folks who believe that people will stop smoking if we simply print the warning labels on cigarette packages in larger type.
Pardon? You imagine that a company running scores or hundreds of laptops and desktops will be happy that each user modifies it? Then, when the disc fails, or there is a cpu failure, you expect the company to restore all the OS plus user modifications? Do you believe most companies back up the whole machine or just the user data areas, usually on a network drive as backing up local disc is a pain?
Torvalds is wrong. In his, specialised, privileged environment the risk may be all right. If you work in a bank or a pharmaceutical company he is wrong. Even for most home users, who know b- all about their systems and leave them unlocked, permanently logged in etc., the default must be in favour of security. Actually, some of the worst cock-ups come from those who are supposed to be technically able as they just will not leave things alone.
Considering all the whinging that certain groups do about how Linux should replace <insert OS name here> on the desktop.
Well in that case stop treating every installation of Linux like it's
a: A corporate server
b: a home box for the hairy toothed, girlfriendless basement dwelling Linux geek to masturbate about
If you want to make Linux useable everywhere how about asking during the install process the role of the machine.
General home/student laptop (ie easy to connect to WiFi etc)
Mobile corporate machine (locked down a bit more than the previous item, ie no USB or CD use)
Office machine (only authorised networks, USB devices)
And so on
Make it easy on the users (and corporate IT depts) os it it really that many of the Linux for the masses proponents actually elitist and don't want others playing with their toy?
BTW yes I have spent years working (for a living) with many UNIX variants and actively dislike windows but horses for courses
<dives for the flame proof overalls
I got totally pissed off with fedora when I installed F14, and it would'nt let me login as root and start messing about with network/printer settings
I had to start as a regular user, then try using the admin tool, then type in my root password, alter a setting, restart the service (after typing in my root password again) , notice I've made an error, type in my root password aaaaaaaaaaaaaaaarrrrrrrhhhhhhhhhhhggggggghhh this is worse than winblows.
I dont want to run my regular user account with raised access, it runs happily enough as a basic user, as do all my accounts.... but I just want to login as root.... fiddle with some settings easily, then logout and back in as my regular user... is that so freaking hard?
And to all you smug CLI bastards.... f*** off :-)
I have'nt got time or inclination to learn exactly what "rm ./ -r ^%000fa3a -o -t -T X Userspace $e" means
I did sort the root access thing in the end
As a one time Unix admin I still think the idea that you should be able log in as root is strange. On our DEC OSF systems the one would log in as an unprivileged user and use su to become superuser just for the time necessary to perform a task and then end the su session dropping back to your normal privileges. No one was every allowed to actually log in as root.
sudo on Debian/Ubuntu seems a good solution to me (typed on my Acer One running Debian).
@kwhitefoot - "As a one time Unix admin I still think the idea that you should be able log in as root is strange."
That's what many people commenting on this article don't seem to understand, and Linus either. With SUSE, you are not "logging in as root" - you are simply proving to the admin control panel YaST that you have admin privileges by supplying a password. YaST does the work - you are still logged in as a normal user.
I think folks are probably so brainwashed into the Ubuntu way of doing things that maybe they can't grasp the difference any more.
But you have to know the root password and that is not always desirable.
If you are allowed to use YaST, then you can log in as root!
My niece is 14 now and not root on her laptop but capable of using foreign printers in school, my office or copy shops as well as using WiFi anywhere. She is unable to work around privoxy, hopefully :)
What's the Ubuntu way of doing things? As far as I recall Ubuntu doesn't ever give the user a root password. They have to use sudo, or the GUI equivalent, which pops up and asks them for their own password, not the root password. They can't strictly get root access at all unless they have the right to sudo su- which isn't a given.
>That's what many people commenting on this article don't seem to understand, and Linus either. With SUSE, you are not "logging in as root" - you are simply proving to the admin control panel YaST that you have admin privileges by supplying a password. YaST does the work - you are still logged in as a normal user. I think folks are probably so brainwashed into the Ubuntu way of doing things that maybe they can't grasp the difference any more.
I don't think you understand how your computer works, at all.
I had a 200-lines post ready but it failed the ElReg comment limit, so please just read the fucking manual (in case you wondered, that's what RTFM means). In short and because I'm feeling kind,: YaST is only a front-end. When you call it, it calls whatever GUI frontend to su you have in your system, then calls -as root- the package management and/or config tools needed for the job. As root. Then it exits, effectively unlogging from root, although your local GUI frontend to su might or might not cache your root credential; and might or might not warn you about the fact.
Hmm... 12.1 eh?
Actually, I have no trouble with openSUSE jumping onto other networks without a root password. But then again, I'm still using 11.4 on my little netbook.
Mind you, before we aim anything nasty at openSUSE about root passwords and adding printers, has anyone tried adding a printer to Windows 7 without admin access? Actually, the problem with printer adding sounds a lot like where YaST is involved, though I notice that the CUPS webpage asks for a p/w too. Is this a CUPS thing or a openSUSE thing?
The problem with Linux is no one other than Redhat has enough resources to do anything.
Which causes anything Redhat doesn't care about to get actively more and more broken all the time.
How it should be is understand one thing everything else is the same basic design.
It is getting layers and layers of abstraction with loads of depreciated api's and other crap and binary formats it is just a mess. (Almost exactly like Windows but it doesn't work as well).
Only good thing happening at the moment is Samsung paying for the development of e17 to be finished.
(Any GUI all I really use it for is running clementine a few xterms and a browser).
I was fairly happy with one of Linux / FreeBSD / Solaris for about 15 years as my desktop.
I no longer am though so I use Windows 7 (With UWIN which is probably more POSIX than GNU) colinux if I need it.
I have a Linux from Scratch laptop (Only way I can use XiG's xserver which is what Xorg should be).
Too much hassle to avoid the things I know I don't want (pulseaudio / systemd / alsa / Xorg / avahi / cups) and stuff like flash needs allot of messing around to work with oss4.
RHEL 6 is usable I guess. (RHEL 7 will be utter shite if it keeps gnome 3 / Ubuntu is a joke / Opensuse is messing up the stuff it was best at like xen (systemd breaks it guess there will be a time soon when sysvinit is not an option).
FreeBSD is great just as it has always been I was expecting due to the specs being released some usable ati drivers by now. (Bought this card ages ago due to that action by AMD still useless - no one can write X drivers except XiG).
Solaris cannot use it securely anymore due to Oracle.
(I use focus follows mouse on Windows which is another thing I must have - it should be the default on any *NIX OS - I might have used a Mac if it had this but even though Nextstep had it they dropped it which is moronic).
I have very little hassle with Windows 7.
> The problem with Linux is no one other than Redhat has enough resources to do anything.
> Which causes anything Redhat doesn't care about to get actively more and more broken all the time.
Funny that, my numerous Debians all work fine. Especially the ones I boringly keep in the "stable" pool for productivity reasons; but even the "testing" ones are very reliable. The "unstable" releases do cause problems, like, twice a year. I bet that's because of Red Hat priorities. Ain't it?
You do know Novell aren't pitching OpenSUSE to consumers, right? Their primary market is corporate IT.
What OpenSUSE is doing is exactly what it should be doing for a corporate rollout. Business PCs need to be locked-down.
Also: what vagabondo said. You get to pick how you want SUSE to behave both at install time, and post-install if you cocked it up.
Finally, on what planet does ripping-off MINIX and dumping the resulting barely-working kernel into a public forum for free make you a "genius"? Having a knack for getting in the tech news (often for all the wrong reasons) only makes it clear that you're wrapped in a cult of personality. It doesn't make you anything other than an arrogant egotist.
The hypocrisy of the FOSS is truly a thing of mystery and wonder given how often they've accused the late Steve Jobs of displaying the exact same character flaws.
my theory? the mobile security is more important.
I disagree with Linus on this one. We are currently in an age of exploits, psychopaths, deception, spying, and data theft.
I like the passwords for changing the settings in the gui.
1. yast -i keepass or keepassx , add this program and look / use it.
2. put your user in the "wheel" group. then you be ready next time
Seems to me yast or YaST always did that, and it's so RARE to be editing the logon screen or printer it ain't a problem. What I don't like is sudo. "sudo this sudo that sudo syudo swuydo"
3. So I install sux. yast -i sux
4, In these later years with faster workstations, that cool shell "yakuake" ( yast -i yakuake )
Some of us our eyes are going bad, and we don't have eye doctors.
On the other hand. You could always run your xsession as root on SuSE, there are ways around it are the people in the group "wheel" ?
"Torvalds has come in for criticism for not using bypass code in openSUSE to eliminate some of the need for root password access, and has been slammed for taking the rant public"
Where did Torvalds get criticised for not using bypass code and who slammed Torvalds for going public on a social networking site.
Start Menu -> Applications -> System -> Yast
Enter root password
Network Devices -> Network Settings
Select "Global Options" and in "Network Setup Method" choose "User controlled with NetworkManager" then press "Apply"
Any user can now setup a network
Security and Users -> User and Group Management
Select the user, and under details, add them to the lp group
Job done. Users no longer need root password to set up printers or networks.
The Solaris 11 dladm method for dealing with wifi is quite nice (Even nwam is better than networkmanager).
If you go away from small programs that do one thing well (and are scriptable or usable in a shell) and input and output text then there is no point still using *NIX. (It is the whole point of the design it is like that for a reason and it all makes sense as a coherent whole).
It is like any tool. (e.g the best coping saw blades snap really easily if you go out of square a tiny tiny bit I could learn to do it but I don't need to but it would be dumb to use them without first learning to use them properly). Computers are the same means to an end.
1) installed fedora 15 in my (then) 5ish year old compaq presario a year ago.
2) worked really well, but for the life of me I couldnt make the laptop print to a network printer.
3) hibernate simply sucks and results to a system crash that requires a reboot or worse fsck
4) I dont have the time nor patience anymore to 'tinker' around.. I just want something that works.. comes with age I suppose.
5) As a developer, I'm increasingly getting more inquiries for 'mobile' apps development.. well and good except that I need a Mac for iPhone/ipad development..
6) The only way I can run Netbeans (my preferred java IDE) +Eclipse (for Android) + Apple's XCode IDE is in a Mac.
7) MacOSX is still, afterall, Unix.. so yes I may want to do the occassional tinkering.
So there.. I've bared my soul...
openSUSE provides 3 sets of security policy settings; slut, secure and sheldon (officially Easy/Secure/Paranoid). ... in addition to custom settings. One of them is selected at installation time. Slutty is the default.
The presets aren't perfect for everything and the interpretation of "secure" varies from individual to individual. Defaults were initially too restrictive for NetworkManager to do its thing without superuser privileges. And it's also annoying for removable (USB) media, but the risks of mounting a strange filesystem automatically should be considered.
Networking is either "classic" or NetworkManager. The latter is appropriate for most mobile computers as it allows the user to choose the network connection.
The settings can be changed in the policykit files. That's how I got NetworkManager to connect to WLANs without root password; just the one for my KDE Wallet which stores the network passwords.
Printing on openSUSE is by CUPS. The system can be configured to listen for CUPS servers on the network; whichever network is connected. The appropriate printer can be chosen by the user in an application dialogue.
The user's timezone can be selected without root privileges. Users should not change the date-time on a *nix computer. If the network has been configured correctly, then NTP can be used to adjust the clock automatically.
A user chooses their timezone from the desktop environment settings. pre KDE4, the timezone selection was possible directly as a "clock" option. In KDE4, it's selected from the Mac-like configuration thingy.
But the straw that broke the penguin's back was when his daughter Daniela called him from school to complain that she couldn’t add a printer to her computer without the root password. Linus lost it, and went public with his complaints.
My computer also has that root password request problem to ignore and recognise is a failed hinderance when testing for super dynamic connection bottlenecks in networks ……. and Safe and Sane Berthing for Heavy MetaDataBase Fuel Exchangers with Private Networking Nodes in Fabulous UnderGround Streams.
I'm not following everything he says and does to be honest, so my views on the matter maybe flawed as well. But more and more do I get the feeling that in Torvalds mind there is only one right solution and that's his solution. Everything else is basically inferior by default.
There is a big difference between stating your opinion or presenting it as if it is the one and only truth. Think about it.. Mac file system? "Utter crap" according to Torvalds. Gnome 3 ? An "unholy mess". Windows? 'Can't learn anything from that' (not an accurate quote), according to Torvalds.
While my opinion tends to overlap (I also don't think much of Gnome) I wouldn't call it bad per default. First it does its job and more importantly: there are plenty of people around who /do/ enjoy Gnome. I guess those are stupid idiots too then ?
Same applies to this rant. He has some interesting points but those are also easily reflected. And quite frankly I think his end conclusion is taking it WAAAY to far. Whatever happened to taking a like of LInux' key strengths; the amount of different distributions so that if you didn't like one you could always try another ?
I am frustrated with this distro. I invested the last 7 years of my time using it and I have not found the time to look elsewhere.
I was forced to upgrade a number of machines after update and upgrades for 11.2 ended. We have 6 machines running OpenSuse with various hardware. All act randomly and crazy since upgrades.
We first upgraded a few machines to 11.4. Nuff problems. KDE4 would hang when we USE Gimp, or LibreOffice in a random way with no keyboard function or SSH access and requires a hard reboot. Various other application had problems if DUAL display was enabled. Switched display adapters from NVIDIA to ATI, the problems persisted. Appeared to be problems with KDE4 that kills the entire system and WERE VERY RANDOM.
Other problems included memory leaks by akonadi_contact. Imagine your system crawling and you do ps -A and see 50 plus instances of s process running. Other problems related to NEPOMUK. Apparently KDE4 requires so many of these unnecessary systems to be running that they are difficult if not impossible to disable.
The worst of the offending application was knotify4. This application that controls desktop and was consistently using 99% of our CPU. KDE4 or OpenSuse own built DOS attacker. Of course this problem could easily be solved by turning off Audio Output in System Notification Configuration. But why do these application and KDE4 generally have to be so intrusive. After using Linux only for the better part of the last 11 years and SuSe for the past 7 or so it is like using MS Windows all over again except it is like Windows ME.
Too many changes for changes sake. I have been using KDE4 for the past two years and it is now a bit more manageable. But what about it just working. What about the old Linux that just works. What about the old Linux that does not just consume all your system resources.
OpenSuse 11.4. and 12.1 feels like I am using Windows ME or 98 all over again. This is not what I expect from a Linux distro
11.4 random and buggy? To be honest, I am not a fan of the new startup system on 12.1 but the SVR4 setup of 11.4 has never failed me on the handful or so machines that I run 11.4 on, with age ranges from a rather old Dell server at works to machines ranging from a server down to an Acer Aspire One.
Having said that, I do agree that too many changes are made for their own sake, the various boot systems such as Upstart and similar being good examples, as is KDE4 itself. But that's hardly SuSE's fault as a fair amount of what has changed is connected with packages rather than the distro.
What does annoy me is where a distro discontinues a package because *they* think it is outdated, despite anything that the end users say. openSUSE had to backpedal slightly because of this when 12.1 came out because of the users that still use KDE3 and GNOME 2, for example. The insistance of driving the userbase forward every twelve to eighteen months doesn't help either - not all of us are interested in the bleeding edge! That's what openSUSE Tumbleweed or Fedora are for.
All of that aside, I still have W98 to hand and openSUSE is nothing like them. Actually, KDE4 reminds me of Vista more than anything else, and Vista reminds me of a failed attempt at emulating KDE3. Go fig!
I use Suse and OpenSuse for some 17 years now and I'm totally with Linus here. You need the root password almost anywhere and OpenSuse knows that, it's set to the first users password by default.
Not a problem for me, but if I gave the root password to some of my users they'd get into the old Windows XP habit and work as root.
> it's set to the first users password by default.
Really? The root password is the same as the first user's?
Wow. I didn't realise that. It's been a while since I used any flavour of Suse - and if they're doing that, it's going to be a long time before I go back. That's *awful*...
As a long-time openSUSE user I reckon those openSUSE people think differently to the rest of us.
They often seem to get the nuances of the user-experience wrong. But when prompted, they do seem to sort it out, eventually. Sometimes, eventually can be a bit too long, though, like with the endless attempts it took to get package management working properly.
Unfortunately, of late, they've also started believing it's OK to introduce bug-ridden new software as a replacement for older stuff that had better functionality anyway. The (ahem) desktop comes to mind here, but isn't the only example.
So I don't know if Linus is right in this particular case, but those "I can't believe it" moments do seem to be on the increase in openSUSE.
Quality Control - they've heard of it.
Yeah whats the threat behind adding a printer to print off a few documents?
Actually its a real one, your looking at it from the printer attacking the device (lets not stray off into idlescan territory here but yes Im aware of that too). Your document is in the buffer of that printer, which in the case of a networked one could quite happily be storing/sending off to a 3rd party your confidential document you just printed on it. Of course you wouldn't expect your salesforce bods to know/be aware of this leakage vector, but then thats why you lock it down to require a password and control access to it in a business environment. Quite a few companies Ive worked for mandate no 3rd party printers for this reason and its a disciplinary offence to print to a unauthorized device.
I stayed in a posh hotel in prague once (honeymoon!) and there was a tech conference in town. We nipped on the shared business pc's to browse a few news sites, and on the print server was a stuck job, which was a spreadsheet containing names/addresses/telephone numbers and other personal details of all the leaders and shakers in the tech conference (which came out after we removed the paper jam...) Salespeople are good at selling and mostly fail at security. Its a good job we're good at security even if we're mostly fail at selling and marketing. We each bring something unique to the table, and both are essential to the other, and mostly when security looks like we're being annoying to the layperson, we've got good reason..
"If you use so-called ‘free’ Wi-Fi networks while at your favorite cafe or while traveling, you might get more than you bargained for. Protect yourself – and your identity – with these simple tips. You're sitting in an airport lounge and seize the chance to check your e-mails before your flight departs. You log on and are tempted by a wireless Internet provider offering free Internet access. So, do you take it?
Security experts warn that hackers may be masquerading as free public Wi-Fi providers to gain access to the laptops of unsuspecting travelers. All it takes, they say, is a computer program downloaded from the Internet, an open access point and a user who has ignored basic security advice. The difficulty for travelers is differentiating between a good Internet access hotspot and a rogue, or somebody trying to actually glean credentials from you. The issue is that you don't necessarily know the difference between a good and a bad one.
This could happen in a number of ways, but one of the sneakiest is a “rogue” Wi-Fi network that look like a free alternative to your hotel’s $10 to $15/day rate. In other words, tech-savvy thieves are taking advantage of your thirst for constant connectivity – and desire to save a few bucks.
The basic idea is someone in vicinity has created a ‘free Wi-Fi network’ that you connect to, but in doing so, you’re allowing them to tap into your info, access your files and possibly steal your personal identity too. These rogue networks are really individuals who have software to hack into your systems — and because the majority of people’s laptops are not protected, they’re a lot more susceptible than they think."
See the link for more of the article.
He has[enter password to continue]
a point[you must click "Agree" to continue].
These[enter password to continue]
security fea-[you must click "Agree" to continue].
tures can[enter password to continue]
be very[you must click "Agree" to continue].
intrusive[enter password to continue]
and[you must click "Agree" to continue].
slow you[enter password to continue]
down a[you must click "Agree" to continue].
lot.[enter password to continue]
I have a Mepis 11 (Debian Squeeze derivative) MacBook Pro laptop for work, with 2 kids having their own account. Flash-games and everything, VirtualBox and dual-screens. Actually, even my account is a standard account, and everything just works as it should.
WTF are SuSE doing ? I loved that distro until 9.3, before they where bought by Novell. Has been downhill ever since. Sad.
The older he gets, the more curmudgeony he gets, and I love it. He shouldn't be afraid to speak his mind. Most distros these days piss me off as well. Let's not even get into the KDE4/Gnome3 decisions that have enraged users and inspired a dozen different schisms from the main distros.
If you wanted a friendly and permissive distribution for your daughters laptop, you should have either:
1) Configured OpenSUSE that way, or
2) Given her a different distribution
The fact that it won't by default let users do just anything without elevated credentials, is one of the selling points of OpenSUSE to (for example) IT teams in a corporate environment.
Rant away about bugs, by all means..
Re: "I agree with Linus saying that there are bugs but it's not as simple as he states,"
It might not be for you and your distro assemblers/programmers, but for the end user it is. Cause if yours don't work as expected, they'll "buy" somewhere else, even if that means paying actual cash for the badly hacked copy CableMonopoliesUnlimited has licensed from OSMonopoliesUnlimited and makes all users admins.
It's SO much fun watching the linux boffs pick at each other and go around in circles informing how other_boff "clearly doesn't know" something slightly pedantic. It kinda makes Windows/Mac OS use that much more worthwhile ;)
For what it's worth (and the little I admittedly understand) I agree with Linus* and the "juvenile" way in which he went about it; it's very easy to ignore if it's a "quiet word", but now it's publc... =)
*I don't want to have to key in a root password every time I do something that simple!
I would have thought it obvious that you's need root access to add a printer or wireless network! There are a lot of good arguments for this behaviour, as the point of root (as I understand it) is so that users cannot make changes which affect the system and other users. On the upside, at least his daughter could find drivers for the printer...
Nobody seems to addressed the core scenario for the locked-down configuration, where you might want to demand an admin password for USB, printer or “wormy public network” to protect the laptop from the Executive or traveling sales-person.. “Enterprise lockdown” presumes an enterprise environment where paid-for support/admin people are always available to do what is needed..
Needing an admin-password to add a printer is fine for geeks and fine for lock-down, but just lame for a desktop OS.. it’s not as if Linux does not have sandboxing.. so it looks like a lazy route has been taken.
Cut the fella some slack.. somebody is bound to have commented to the daughter that “it would work better if you Dad had not put HIS os on it”
I remember years ago Linus flamed needlessly confusing Linux boot messages and got flamed back by community saying it is not Windows.
He didn't say he or advanced users will get confused or being disturbed, he talked about people who just installed Linux and welcomed by thousands of advanced status messages like a bank mainframe (actual banker told me) which will drive them to panic and confusion.
I personally enable verbose boot even on Windows and wish android had similar facility but I agreed to him that time.
Just one question. Remember 'chmod 666 /dev/dsp'? What did it serve other than driving thousands of Linux newbies insane and give up? For newbies, it was the command needed to make sound work. Seriously, funny now yes? It forced thousands of newbies to root console further messing up things. Now all Linux makes sound without needing that absurd operation, what harm did it do?
Have three computers here at the fort (at home, for the mentally challenged): two towers and a laptop. All three are running openSuSE 12.1, KDE 3.5.10 as the desktop, and all three are setup with six user accounts:
2. The wifes
3. One for each of the younguns
Only the wife and I know the root password, which is required to:
A. Install software
B. Alter network settings
C. Install/modify/remove printers
D. Change any system settings via YaST
E. Perform any other action that affects the system
The only changes that can be made by a normal user (The wife and I run as normal users) as those for their respective desktops and files.
I set up these computers this way for a reason: it is harder for any one youngun (or anyone else, for that matter) to change system-wide settings, i.e. settings that affect *all* users.
Sorry, Linus, disagree with you on this.
BTW, Linus, next time *read* this information the installer gives you next time you install a distro. A quick search on <insert preferred search engine here> about the distro you want to check out is merely a suggestion. (I researched several distros when I decided to ditch Windows and moved to a Linux-based OS. I chose openSuSE. Been a penguin since 10.3.)
On the one hand, most Linuxes (Linices?) can be a bit obtuse. On the other hand, you don't install Windows Server or HPC edition on a netbook unless you want pain.
Maybe he should try using a "desktop" Linux? Probably will still give him reason to rant, but at least we won't have experts and neckbeards saying that's how it's supposed to be and you should edit /some/fucking/text.file if you want it to behave nicely.
If Linus HAD left the original OS on the MacBook Air, he could have:
1:set up his daughter's account as an 'Administrator', allowing her to change anything that didn't need root access [ie. change settings and configure stuff, but don't delete system directories or apps.]
2: set his daughter's account up as 'Managed' allowing access to a default 'safe' level of configuration options.
...all by the selection of a tickbox
3: configured the "Managed" account options, by ticking some more tickboxes, for more fine-grained control.
4: Setup the MacBook to allow guest access, with the barest minimum of priveliges.
5: Dropped into a terminal window and used 'sudo' to his heart's content
6: Asked to share his daughter's screen via iChat [again, with the click of a button] and securely setup the printer for her, as if he was by her side, from the comfort of his armchair.
Thank God he ditched that fanboi-ish Fisher Price OS in favour of a real one!
root is of of the most horrible thing in terms of nix security, it should be only ever used in an init1 situation if that and only known to a trusted few. Any account that has rights to blow up the system needs to be auditable especially in an enterprise situation where accountability is key.
Linux distros aimed at the desktop should really start thinking about desktop land more and openSuSE is not enterprise, that is the job of SLED and SLES!
Biting the hand that feeds IT © 1998–2019