Vote for new Ubuntu Feature---Let's try it again --- and without getting all religious about it

Thu Jan 11 15:12:40 UTC 2007

Jeffrey F. Bloss wrote:

> Derek Broughton wrote:
> 
>> Jeffrey F. Bloss wrote:
>> 
>> > Chanchao wrote:
>> > 
>> >> All the man says is that at this point he prefers not to have to
>> >> save this file somewhere where he can save it, exit the
>> >> application, use gksudo to open it again, re-apply the changes,
>> >> save again.
>> ...
>> >> access rights after entering the sudo password: great.  Or if a
>> >> script is called that saves the file as a temp file, closes the
>> >> application and re-opens it again after authenticating as
>> >> administrator:  Just as great.
>> >> 
>> >> That's all.  No Unix-security-blasphemy takes place.
>> > 
>> > Nonsense. You're suggesting that every application be allowed to
>> > determine who is and is not permitted to act as an administrator
>> > independent of the OS. That's not blasphemy, it's castration. You're
>> > asking that the entire Linux/Unix authentication mechanism be
>> > undermined.
>> 
>> Don't be silly - applications _do_ do this, and as Chanchao says it
>> isn't Unix blasphemy.
> 
> Yes, and if you read back through the thread I thought I'd made this
> clear when I stated quite plainly that there's two avenues of attack to
> this "problem"... either neutering the Linux/Unix security model, or
> convincing every Tom, Dick, And Harry software author to rewrite their
> wares in a compliant and *secure* way. Like I said, it's not gonna
> happen in our lifetime or likely any other.

But right here, Chanchao just asked for it to be done on a per-application
basis, and you told him that he was castrating the unix security model. 
His suggestion most certainly does not.

> That said, even if the "Tom/Dick/Harry" solution were logistically
> feasible it's a monster of a security nightmare in itself. Do *you*
> trust any and every software author on the planet to properly implement
> the authentication and execution of administrative rights,

Again, you don't have to.  If, in the particular example Chanchao used, the
file was written to a temp file, then copied to the original location,
gedit would need to invoke "sudo cp".  The user would have to _have_ sudo
rights - at least to cp.  If the user does, then where is this any more of
a security nightmare than the current system.

> I don't think Gedit needs, or should be allowed to do anything like
> this. There's already several perfectly functional ways to give Gedit
> the privilege it needs to do what the OP wants. Users need to learn to
> use them, not suggest the reinventing of a broken wheel.

If the wheel's broken, it should certainly be redesigned.  I don't think it
is, but lets argue about it on its merits rather than dismissing ostensibly
reasonable suggestions as emasculation.
-- 
derek