Torvalds Calls OpenSUSE Security 'Too Intrusive' 311
jfruh writes "The balance between security and ease of use is always a tricky one to strike, and Linux distros tend to err on the side of caution. But no less a luminary than Linus Torvalds thinks openSUSE has gone too far. When his kid needed to call from school for the root password just so he could add a printer to a laptop, that's when Linus decided things had gone off the rails."
Too much root is not a good thing (Score:5, Insightful)
I see this on Macs a lot. If you want to install anything, you have to type an administrator's password.
In theory, that's great. But in effect, you are giving that installer root access. So if I understand correctly, that installer could be putting any amount of spyware (or whatever) into your computer and nearly perfectly cover its tracks.
Otoh, many Mac apps are distributed as disk images, where you simply drag them from the image to your drive, and that's it. No password at all. If you're going to use pre-rolled software, that certainly seems more trustworthy. But of course, it is a lot more complicated of a process for the average user to be able to ever understand.
What an ass (Score:5, Insightful)
But no, he had to go harping on everyone on bug lists and social media rants to put people down, even suggesting whoever made the system should die.
What an ass.
I feel you man, (Score:4, Insightful)
B.S. in C.S., M.S. Psy., Ph.D. in C.S. and B.S.*, and my job is to fix the printer ...
* That's Brain Science, you r'tard
In other news, Linus has a child old enough to install printers on Linux ... I feel old.
I guess it's reasonable ... they use to say, "you're not dating girls until you're 21!"
Now it's "You can't have the root password until you're 21!"
By the way, Linus is right, I usually disable selinux ... a good firewall is fine ..., and
also if your child clicks on an attachment from a stranger, that's a grounding.
Re:What an ass (Score:5, Insightful)
Why should he have to do that? Why isn't it sufficient to add the user to the 'lp' group? There's no reason that printing should require root access at all.
Re:What an ass (Score:5, Insightful)
Why should he have to do that? Why isn't it sufficient to add the user to the 'lp' group? There's no reason that printing should require root access at all.
Why does an administrator have to add anyone to anything in order to do a commonplace task on a machine that is really a commodity item?
Not that I have read his rants but I get where he is coming from.
Re:What an ass (Score:5, Insightful)
If I understand correctly this in effect would be giving that user root priviledges. I think his complaint was that an ordinary task like adding a printer required that level of priviledge, not that it was inconvinient to do. It sounded like he wanted to administer his childs laptop without giving them free reign over it.
He was also a bit pissed that you need the root password to connect to a new wifi hot spot. Could imagine the network admin's nightmare of having to give the root password to a salesman trying to give a presentation on the road?
I had the same problem with my Fedora 16 (XFCE Spin) box needed the root password to eject a CD. It really sucked that my file manager couldn't do it unless I ran it as root. I don't even know what the file manager's name to run as root and I shouldn't have to. Of course it was no big deal for me to type in "sudo eject cdrom", but I wouldn't expect the average user to know that. Besides, I shouldn't have to add standard users to the sudoers group just so they can swap a friggin CD out!
Re:Only root? (Score:4, Insightful)
Re:What an ass (Score:4, Insightful)
Why should he have to do that? Why isn't it sufficient to add the user to the 'lp' group? There's no reason that printing should require root access at all.
Because, in any sane environment, that would require proving that the entier printer-management interface is secure enough not to allow privilege escalation or agent-based attacks. At the very least, that would require a software audit of those components that can be twiddled and probably some pen-testing and/or fuzzing. You can just say "well, this is designed to just let users add a printer so surely it can't be used to do anything else" -- I suppose you *can* say that but you ought to lose your job for that kind of thinking.
We've had large multi-user operating systems for decades now and people still don't seem to understand this basic principle -- if an interface is available to a regular user, it has to be vetted to ensure that it does not allow the user to do any more than what it advertises and that the effects of that are limited to things that the user is supposed to be able to accomplish.
Re:Only root? (Score:4, Insightful)
Only if your printer sucked. If you had a real printer you could just cat the postscript to whatever device it was connected to...
And that's why the year of Linux on the desktop will always be next year.
Re:Remote ejecting (Score:4, Insightful)
Re:Only root? (Score:3, Insightful)
More like "you bought the wrong one, so suck-it-up and learn from your mistakes"
Re:if Torvalds kid is smart enough to use (Score:4, Insightful)
Yeah he can be a control freak, but in a way I can't blame him. Can you just imagine how many black hats would like to get into Torvalds home LAN? Consider also that the man is pulling over 250 thousand $$$ per year wouldn't somebody like to sniff his network?
Re:Geeze, what a drama queen! (Score:4, Insightful)
A business laptop that is carried five states away to deliver a million-dollar presentation should not have any security barriers that would jepordize that presentation. I would count "Contacting IT back at our headquarters so I can use the WiFi" as just such a barrier.
Clearly, then, this is not the Year of the OpenSUSE desktop.
Re:Only root? (Score:5, Insightful)
It's somehow the (free) operating system's fault because printer manufacturers design their hardware around yet another half-baked printing protocol instead of just using a standard that's been around for decades?