Forgot your password?
typodupeerror
Linux Software

Linux Lite? 170

Posted by Hemos
from the security-issues-galore dept.
smock writes "An interesting (and, IMO, excellent) suggestion is over at Linux Journal. " Essentially, an argument for better opening security, given the lack of experience of many new Linux users.
This discussion has been archived. No new comments can be posted.

Linux Lite?

Comments Filter:
  • Which means it's even a bigger security hole than it would be otherwise. Or am I just way off here?

    No, you're absolutely right. But, there are a few solutions. First, they could do something involving the serial number on the CD it came on; then, the "now you're ready to be root" section of the manual can say how to use it. Or, you could cast root as something other than an ordinary account, e.g. with a prompt sequence like: "What do you want your username to be? And its password? Now, make up a super-secret emergency password, different from the first one, and type it here: ..." There are a lot of ways you could get a root password unique to the machine such that the "dumb user" doesn't really know what to do with it until they are no longer just a dumb user.

  • Why do we need http, nfs, telnet, ftp servers running by default in a home networked environment. I've always used RedHat, and sure it gives the option of what servers to run, but somebody with no unix/server experience would quite probably just pass over such a screen without even thinking about the consequences.
  • by Anonymous Coward
    I dunno about this being *tooo* far off... As far as not even letting the user know about root until they're forced to dig into the manual ("Oh, BTW, in order to make the following changes, you must be logged in as root... For an explanation of root, please turn to page XX...") -What if root's password were set (by default) to the user's normal password? Or some derivative of their username? Being relatively new to Linux myself, I dunno if this is feasible (or itself another nasty security risk); could someone more experienced please comment?
  • Well, I suppose the root password could be randomly assigned and kept hidden. How to become root then? LILO: linux single (Good Idea? If not please berate my suggestion..:)
  • Well, I suppose the root password could be randomly assigned and kept hidden. How to become root then? LILO: linux single (Good Idea? If not please berate my suggestion..:) After all, if the box is single user and one is worried about attacks coming over the network as opposed to the box itself, this would work.
  • In my experience ( Linux various distros, now Freebsd), the key element that has either been missing or difficult to find/obtain is good documentation.

    Most of the free unices are just that, FREE, how many many of us are prepared to pay somebody or some group to provide clear and coherent documentation of the different tweaks and customisations that exist and are frequently required by the different unices even at kernel level before you even start talking about ports.

    To even attempt this task would require the setting in place of some kind of standard that will inevitably limit the flexibility of offerings

    Whilst this flexibility itself is both a strength and weakness, I would resist an attempt to change or impose some additional framework upon it that might reduce the variety of tools available to me.
  • Not necessarily.
    Certainly you _could_ be lazy and do it that way.
    But you could equally have the root password indivuidually tailored with each copy of the distro. You know - "root password is on the sticky label inside the front cover of the manual"
    kind of thing...
  • Essentially this is the case with NT.
    Although Microsoft badge them as different products - the code is still the same, it's just installed differently. In NT 3.51 you could turn Workstation into server just by altering a registry key. You can do the same in NT 4.0, but you need to kill off a magic thread in the OS which modifies this key if it detects you changing it!
    The install program here oculd install the dumbed down version of linux by default - but if they bothered to the read the manual they could find out that if you did "blah blah blah" you got all the really cool server stuff, and a big shove towards the rest of the manual.
  • Right on.

    I've installed debian more than a few times too. dselect really needs some work. Like maybe a complete re-write...
  • There was an absolutely humongous list of packages with undecipherable names that all had intricate dependencies on each other. . . . Since no clue was really given as to WHAT these things were, I was forced (after several attempts at a minimalistic install) to install a humongous amount of crap @350 MB.

    I discovered (although only recently) that hitting F1 from the dialog where you "choose individual packages" produces at least a semi-helpful description of the particular package. (Actually the contents of the description contained in the RPM package.)

    Anyway, I believe RedHat's install is getting better. I fiddled with Lorax (the RH6.1 beta) a little this weekend and I think that the new graphical install will be quite nice when they get it working correctly. Also, the new install options are:

    1. Install Gnome Workstation
    2. Install KDE Workstation
    3. Install Server
    4. Install Custom
    So, more specialized install options is the trend. This is good. Also, install help is printed directly on the same screen as the options. Also good, pending useful help comments.

    I still believe Linux isn't there yet as far as the novice is concerned; perhaps not even close yet, but it's getting better fast.

  • Idea of different distribution is good,
    becouse on one side, office user doesn't need
    number of www servers, search engines and such
    and on other hand, guy who setting up headless
    www server to put on T1 line doesn't need KDE or
    Gnome, or even gimp.


    Debian already spans over five CD's (including
    non-free/non-US). I suggest even further splitting:

    • Linux -server (without X at all, with serial
      console as installation option)
    • Linux - office
    • Linux for mathematicans (with bunch of things like Octave)
    • Linux for geographers (with GRASS bundled)
    • etc, etc

    With such approach each of stripped-down versions
    would fit on one CD. Of course, there should
    be Linux complete which is mother of all problem-oriented distributions, and may be add-on
    CD-s which would allow to add missing packages
    to already installed system without getting
    whole thing (binaries can be ommited for this CD.
    If you have already running system with basic
    development tools, rebuilding package from source
    is only matter of time, but no need for purcashing
    separate cd for each type of processor can be
    winning)
  • There is definitely room for another flavor of Linux along these lines. Hiding root almost completely, is a good idea. Certainly a root password will be setup at install, but a large set of root capabilities could be handled by a small set of setuid root programs that ask for the root password to peform admin tasks. Packages could be installed by something like an setuid root install shield, which would ask for root's password to install the package system wide, otherwise the package would be installed in the user account if possible. Even better, the install shield should have a configuration screen which lets you pick which users have the priveledge to add and remove system wide applications. This would then be implemented via groups, file permissions, and setuid root, behind the scenes. Using this, root could really be reserved for only the most neccessary occations, and attempting to login as root could come with all sorts of warnings.

    Of course if you don't want all this hand holding, don't use it. This is Linux after all pick the flavor that fits you!
  • by Fastolfe (1470) on Monday September 13, 1999 @07:07AM (#1684963)
    I really can't imagine this being terribly complicated, but I would personally love to see a nice, graphical (or at least curses-based) installation program that behaved basically like this:

    1. Select a basic "personality" for this system:
    a. Server
    b. Workstation
    2. Select a starting configuration for this system:
    a. Minimal (most secure)
    b. Standard
    c. Custom (for experienced users or administrators only)

    You would then proceed to an application selection area, where you would pick some major configuration options (X Windows, Web Server, Mail Server, Games, etc.) and, if you picked Custom, an exhaustive sub-list of packages selectable with checkbox efficiency. Defaults would be pre-selected based on what "personality" you chose for the system.

    Basic daemon configuration would be taken care of at this time as well. If you chose to install the telnet daemon, you would be presented with a warning and an option to automatically refuse connections (firewall? TCP wrappers?) from Internet hosts. Repeat this procedure for things like sendmail, httpd, whatever.

    Daemon venders tend to like their packages shipped individually with everything "turned on", because in most cases, when the package is being installed, it's being installed by someone who's about to configure and *use* it. This is bad in the cases where someone is installing a new system, because they probably *won't* be jumping straight to the "configure and use" part. They'll install all of the packages and get to them "later." So, if we force them to make configuration decisions at *install* time, and build (or use pre-built) configuration files then, instead of the stock configuration files, the system ends up being much more secure with the user much more aware of what's been installed and how it's been set up.

    Along a similar line of thought, and perhaps this already exists, an extension of this installation program could be a graphical "autorpm" of sorts. A program that retrieves from the 'Net a list of updated packages (such as RedHat's updates), and either automatically makes the updates or at least notifies the user that updates are available (a la Windows Update). If the package uses a new configuration file format, a packaged utility should be included and run to convert the old configuration to the new, otherwise the user should be presented with a configuration dialog again to be sure the new package is ideally configured for the system. I've been the victim of several instances where an RPM "upgrade" *overwrote* the existing configuration file (though it did save a backup). In cases where the "default" configuration only differs from the user-specified configuration in that the default configuration is much less secure, the change might not be noticed immediately (or ever).

    I'd also like to see warnings where an installed/upgraded RPM is being installed on a machine that previously contained a self-installed copy of the same package. An example could be some HTTP daemon. A quick search for various httpd binaries could let the RPM's installation program know about previously installed copies of the package that weren't done via RPM's and warn the user (perhaps with the option of duplicating the old package's configuration files in the new setup).

    Anyways, these are just a few of my ideas, and it seems like we're starting to move in these directions, but the setup programs I'm seeing are just baby steps. Instead of just dropping everything and writing a totally user-friendly setup *system*, we're spending time writing stuff "in between," and I just don't think that's a very efficient way to do it.
  • Ahem... The Server, Workstation, or Custom installations.

    It hink Debian will do a better job a bout it. Since they allow you to pick a purpose for the computer, you can then know precisely what not to install.

    Imagine that... A user asks not what his/her/its/their computer can do, but ask what he/she/it/they want to do with his/her/its/their computer.

  • From all we have heard and seen, it seems Corel Desktop Linux trying to be exactly what the author is proposing.

    Of course, we will only know if that's the one when they release the distro. But the other distros would do well in taking a note from this article as well.

  • The author have a good point.

    All distribution should be secure at install, it should be up to the user to enable some ports, etc. If the user as enough knowledge to enable the ports he wants, he should have enough knowledge to make hes system secure.

    There is a liability issue with this, if a system is not secure out of the box, one could sue the distributor if another one break into the system. Unless the license agreement state that the distibutor shall not be responsible for this.

    One thing that all the distros should do, is to clean up the apps and command duplicates.

    Why when I install linux I have 3 or 4 word processor, 3 or 4 text editor, several web browsers, 2 or 3 administration utilities than have the same functions, etc.

    A default linux installation with most distos take at 500megs to 1gig. This is a lot more bloat that Windows9x/NT.

    Why also the installation wizard like Lizard can only be invoked at installation and I have to use another utilities when I add new hardware? There should be a way to invoke the installation wizard to update the configuration.

  • by Fastolfe (1470) on Monday September 13, 1999 @07:18AM (#1684970)
    Would reading a few paragraphs kill anyone?

    While reading the manuals is something we would *hope* everyone would do, time and experience has shown us that it just Won't Happen. We can't just say, "Well, dammit, you should have read the manual," over and over again. We have to build something that will work securely for those that *don't* read the manuals, because there will always be a significant percentage of users that simply won't.

    No amount of screaming, shouting, pasting of banners and throttling will get everyone to "clue up" and read about what they're installing, so we have to adapt the distributions so that they will still function for these types of people.
  • by Daniel (1678)
    Remember LinuxPPC? They gave out the root password and no-one could break in. If nothing is listening on any port it doesn't matter what root's password is. (even exim and so on can do this..deny connections to the SMTP port from anything but localhost. ipchains is your friend)
    Of course, what happens what the user types 'rm -rf /' is another story, but we're assuming that people who can't understand the concept of root won't be mucking around in a shell.. :-P
    Daniel
  • When it comes to security... less (packages) is more. But, it is a little hard for a former windows user to change to the unix methodology of adding packages.

    I say "upgrade" in the MS-context; it is really easy with MS to just re-install things... that's what their support is built on. BUT, it doesn't scare someone off from the idea that they can always install something at a later date... just as easily as they can now.

    I know, i know... there are packages to do it. RPM's aren't hard to use, and I know that there are some RPM GUI's out there, but the what would be nice for the newbies is to just stick that same distribution CD in, and get the whole list of packages, in the same format they saw in thier original install.

    One of things that is required for taking over the desktop...
  • Really, there is a ways to perform routine administrative tasks (such as adding new users)
    without being root. For instance on Solaris
    there are bunch of GUI tools, which require
    user only to be memeber of certain group to operate them (and they provide some idiot-proof).

    So, you can disable root password by default,
    and write defauit /etc/sudoers which would allow
    user, who perform installation to do almost everything as root. Including changing password.
    So when user come learns concept of root user,
    he just can say sudo passwd root and gain access.

    Or change root password in some GUIsh usertool or
    linuxconf.

    Note that you should never do normal work in kind
    of single-user. For instance I have a sister
    (who was total disaster in the time I run DOS on
    home machine and father. Both of them use my
    machine (from separate X terminals, but this doesn't matter). While they are working under
    their own names I can be sure that they wouldn't
    accidentely erase my files. But there was a case
    when I've accidentely erased 200Kb of fathers files (debugging Makefile for typesetting a book), so since that I have to teach them to use
    CVS if they want me to help with their projects.
  • While reading the manuals is something we would *hope* everyone would do, time and experience has shown us that it just Won't Happen. We can't just say, "Well, dammit, you should have read the manual," over and over again. We have to build something that will work securely for those that *don't* read the manuals, because there will always be a significant percentage of users that simply won't.

    How about this:

    We make a default install option which only installs user stuff (nice GUIs, eye-catchers, WWW browser, mail etc.) and no daemons and restrictive input IP firewall (so nobody from outside can connect to any priviledged ports or known unpriviledged ports).

    Users will select this, and be happy.

    For installing additional server packages, server package would need to contain some additional fields. Like questionary.

    So, when user (well, root user, actually) tries to install server package, it would be shown documentation, and then would be presented a few strategical questions. If user can't answer them, they are presented a choice wheather they want to read documentation again or quit.

    Of course, there would be expert option to auto-install packages from hand-made tag files on diskettes (like in RH, for example) so serious admins could install distros without any fuss, and that would be too much hand-work for typical user.
  • ...for all of us not quite yet, but wanna-be-gurus.

    ----------------

    "Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein
  • the security sometimes should be better, thing is the market is too wide and the demand for options too big... meabythere should b more distro's with the same ver. example: RedHat 6.0 desktop & "" i dunno... server... or something like that. is a good pt. tho
  • Red Hat can't package ssh, because they ship worldwide and ssh is defined as "strong cryptography" -- it is illegal to export strong crypto from the U.S. (And similar laws in other countries.) There's nothing (apart from local laws!) to stop you obtaining ssh yourself, from its home site [www.ssh.fi] or elsewhere, and some people do package it for the various distributions. Debian get round the problem by not including the export-controlled stuff in the standard distribution and telling people to go visit ftp.non-us.debian.org (or whatever it is, I don't remember for sure). Perhaps RedHat could include a user-friendly installer for ssh which would visit somewhere like ftp.export.redhat.com, download a (signed by RedHat) RPM and install it? >But really, does a home user even need telnet? Not most home users... I do, though. (well, I use ssh internally out of paranoia...)
  • I personally doubt it. The author mentioned that NT allready implemented / covered this issue with the release of a server & workstation version. IMHO this same example can be used to "proove" (you can never be sure IMO) that the idea isn't working...

    You are basicly trying to protect (clueless?) users from themselves. But being clueless as they are, do you really think that if you hand them 2 choices (full blown Linux / Linux Lite, safer for the newbie) they will actually choose the lite version? No way!

    Think about it; why are they installing/Linux in the first place? Most of these people are attracted towards Linux because a lot of people use it and it gets commonly known being 'a more stable OS then Windows'. Put differently; many feel it looks cool to have a copy of Linux on your computer. And what would look cooler; a full blown Linux or a lite version?

    IMVHO we are talking about the same people who are using Linux being root only dispite the fact its mentioned all over that you should not. The same people who are running NT Server on their PC because it can even do more things then a plain workstation. People who will not settle for a lite version even if they would benefit from it if they did

    Personally I would really like to see how many (beginning or want to be) users installed RedHat 6 as a workstation instead of a server.

  • Yes! That's an excellent suggestion. While I still think it would be possible to make a default installation of Linux that would set up a solid security for the most common configurations, it would be a good idea to create a specific distro of Linux that would be aimed at end users wanting an alternate OS.

    I mean; us hackers could still fall back to Debian, slackware or whatever, while end users could setup a stripped down version of Linux which would run word processor and other stuff while logging them automatically in single-user mode. I mean, for most people that's all they need.

    Linux still sees itself as a network OS, and until some extra effort is spent in making it darn easy to install and run on a single machine not connected to any LAN, it won't catch on completely. I mean, not everyone has a friendly Linux guru to set them up and give them the tour ('Well, you have to use 'ls'. Well, it's possible to use 'dir', but you need to alias it. Let me show you...' etc.)

    "There is no surer way to ruin a good discussion than to contaminate it with the facts."

  • It would be much simpler to give a special name to the lite version, and give a simple name like server to the server version. Any special name for the server version would be picked up by consumers as being "cool" and they would buy it on that name alone. We are trying for the opposite effect, naming the lower version to make it sound better.
  • OK, so if the user doesn't even know there's a root account (even though there will have to be), that means that they don't know what the root password is. Which means they didn't set it. Which means all the root passwords will be the same. Which means it's even a bigger security hole than it would be otherwise. Or am I just way off here?
  • > The 'secure' option should complement the > install. i.e. Secure Workstation, Secure Server

    You will also need 'Secure Internet workstation'
  • Sounds like a great idea
  • I have been thinking along these lines for some time. If World Domination (tm) is truly a goal, we have to recognize that a lot of users will never, ever, have the inclination of imaginative horsepower to understand administration activities. Not everybody likes recompiling their kernels or editing /etc/inetd.conf or...

    What to do? Give them a secure, stable, preconfigured setup they can browse the net and send mail from. Something you can set up for your grandmother, and it will just plain work. I am wondering who will get there first.
  • I wonder if it would be better for the existing distros to have a "secure" install option rather than just creating a separate distro altogether. (RedHat for example has "workstation" and "install" options; it should a "secure" option too.)

    Then again, a good separate commercial distro might be very good. There's probably enough security issues to merit a company just focusing on that, not to mention if they do it right they'll be proactive about finding security problems in Linux and feeding them back to the community.

    Personally I think it'd be nice if Linux took OpenBSD's path of concentrating on security, for example by auditing all code for security problems. But that doesn't look like it'll happen any time soon.
    ----------

  • As the article suggested, we should make a dumbed down installation.
    But from my experience (with redhat) it is very confusing.

    In redhat, if you choose workstation you agree to wipe out all of your HD.
    Obviously bad for multibooters which are most of the newbies today.
    Being that, these users are forced to choose their packages alone.
    The defaults in there are quite bad for newbies, and i expect the expert to twaek it's packages
    instead of a newbie that doesn't understand what he does.
    Then one has to choose his services, which is a disaster when people just choose all "because it can't hurt",
    or don't delete the unused defaults. (which are again quite bad, imho)

    The average newbie likes to go on his installation just by clicking ok on everything,
    so i think what must be done is to make it so.
    Caldera has an installation that makes it easy for users to click "ok" all the way through.

    Another thing is,
    newbies of one area are not newbies in another.
    Some newbies need to set their partitions, but have no idea what i daemon is.
    Some others don't know what partitions are but know what packages they want.
    There must be a way for newbies to "skip" only some choices, not all.

    Lastly,
    i think it is a bad bad bad idea not to explain root to users,
    or make their computer some non-multiuser version.
    this makes security worse. think win98.
    Users should understand multiuser enviroments,
    this is how linux works, and this is how it should work.


    ---
    The day Microsoft makes something that doesn't suck,
  • I dunno. I rather like dselect because it's good for what I do. (Then again, I know linux pretty well, and have been using it for going on five-six years).

    That said, using the debian core functionality would be an excellent way to implement this. Start off with basic install, use apt to get what you need to start off and no more, and most importantly have apt periodically update packages from dists/stable. Security flaws will "fix themselves" (or at least be fixed seamlessly and without needing too much user intervention) as Debian maintainers get around to patching and updating the relevant packages.

    Maybe the underlying distribution doesn't have to be debian, but Debian is well suited to this kind of automation.

    --
  • (1) Yeah, that would seem to be the best way to do things.

    (2) This doesn't seem like such a great idea. If all the services are set up correctly, there's no need to firewall the PPP device. If there's no telnetd running, a script kiddie can't telnet into your box. Rejecting incoming TCP connections would have nasty side-effects such as messing up IRC DCC transfers and ICQ messaging.

    (3) Definitely. New users should not be encouraged to set up an ftp/http/irc/telnet server during their initial install. They should get the OS running first, then worry about setting up services.
  • by Anonymous Coward

    ...

    What this article proposes is nothing less than the dumbing down of Linux. And his motivation?

    "We have to do it so all the drooling idiots will never have to think for themselves or learn about their computers!"

    The drooling idiots can keep their Windoze and MacOS, for all I care. I'm a Linux elitist and proud of it. I'm sick of the M$ myth that computers are easy to use. Computers are not always easy to use, and damnit people deserve to be honestly told that when they get into Linux. They need to be sat down and told: "Look, you're graduating off your training wheels now. There are fewer safeguards in your new OS. UNIX (and Linux, of course) have a philosophy called "leave enough rope", which means they give you the power to hang yourself by the neck if you ask for it. Don't think this is going to be easy. You have been granted great power and flexibility, but with it comes complexity."

    This will undoubtedly scare away some novices or lazy people, or people who just aren't interested in their computers except as a means to an end. This is all well and good and as it should be. M$ OSen are out there for people WHO DON'T WANT TO THINK. And personally, I'm not so worshipful of the Cult of Linux that I feel the need to turn everyone into a Linux junkie. Let there be diversity and many OSes. Let those who would willingly walk into the Gates of hell take their damnation in the form of bluescreens and Back Orifice [bo2k.com]. You asked for it, you got it! No pity for the masses. [amnin.com]

    ...

    Now, none of this is to say that shipping distros with better "out of the box" security is a bad thing. Precisely the opposite, in fact. Let's get real here, folks. Out of the new users coming into Linux now, the "second wave", (i.e., the typical users), how many of them will actually need a real mailer daemon running on their box?

    So does it make sense to ship with sendmail or POP/IMAP (both notorious security holes) enabled and running by default? I don't think so. Similiarly with webservers. If a user wants these daemons, they should set them up themselves.

    Yes, I can hear you saying "but those things are hard to set up!" Well, I have two replies for that. The first is: Yeah, damn right those things are hard to set up. There's a reason for that. It's so fools with incomplete understanding who don't want to take the time to enlighten themselves, don't mess with them. The other reply is: Yeah, damn right those things are hard to set up - and shouldn't we the open source community be doing something to fix that?

    I agree with main point of this article, which is that distros need to ship with tighter security. But I think the author is advocating better security for all the wrong reasons.

    -Ben

  • Here's a good start on how to secure a Linux Box:

    http://www.ecst.csuchico.edu/~dranch/LINUX/Trini tyOS.wri

    I'll say people don't have time to secure their OS. At 8pt Font, and 0.5" margins, the above is 164 pages ! How many Linux newbies are going to spend the time to read and secure their box?!

    The 'secure' option should complement the install. i.e. Secure Workstation, Secure Server
  • While I agree on the sickness of the dumbing down movement, and that it should be an installer option, not a seperate distro, it must be realized that the 'average' users as you called them, WANT dumbed down.

    Can you go to a school and go up to any windows/mac user, and expect them to even know what a daemon is, never mind what a port is, or even what an ip is? No, sadly, you can't.

    The 'average' user will have no idea what these little programs are that are running that magically give others the power to '0wn' their box.

    The fact is, people will install linux, get screwed over by script kiddies, and blame linux.
  • About a year ago I decided I was sick of being a windows luser. I am a programmer, and had had previous generic *nix experience so I was far from being inept. I, like many others, decided to take the easy approach and go with Red Hat (I was aware of the other distributions, but had it on good word from a Linux guru that I should start out with Red Hat).

    Most of the installation was pretty straightfoward...I knew my hardware specs and wasn't really phased by all the partitioning. However, the package installer was a **nightmare**. There was an absolutely humongous list of packages with undecipherable names that all had intricate dependencies on each other. "What is prl3.405.1? And why do I need it for tk103.4? What the hell is asdf4.21...and why does qwerty1.2.3 want it?" Since no clue was really given as to WHAT these things were, I was forced (after several attempts at a minimalistic install) to install a humongous amount of crap @350 MB.

    Now I used to be a DOS dork with a stupid 386. I knew every in and out of my system, and spent a lot of time tweaking. I liked to be able to understand and control everything. But the sheer amount of stuff I was required to install under Linux made this a bit daunting, and less than enjoyable. Sometimes there is such a thing as TOO much choice ;). Anyway, I kept Linux around for a while, until the real world problem of disk space came around.

    I would really, *really* like to switch to SOMETHING other than Windows. BeOS looks pretty nice too...I sort of like the idea of a clean start. If I do permanently switch to Linux it will probably be Debian, because I've heard their package handling is rather stringent. I'd also like GNOME and KDE to mature a bit, and see XFree86 get some of the performance enhancements in.
  • by haaz (3346) on Monday September 13, 1999 @07:29AM (#1684995) Homepage
    We (LinuxPPC Inc.) used to have a "lite" version of LinuxPPC R4, our old glibc-1.99 distro. Lite was a minor debacle..

    First, it was hard to install. I actually can't remember why at this point, but it rarely seemed to work.

    It was hard to figure out what needed to be in, and what people would want, and still give it a small footprint. The final cut was a 104 MB distro that could be installed into as little as 30 or 50 MB. But really, you can do that with R4 anyway. I installed from an R4 CD onto a Zip disk. I had Apache running, but no X. It was slow, but it worked!

    Then there was LinuxPPC Live, which was an all-in-one distro similar to the recently announced "DemoLinux". Live consisted of a big fat ramdisk.image.gz file and a bigger, fatter live.filesystem file.

    Now, the problem with Live was that to make it small enough to fit on demo CD-ROMs and Zip disks, we had to (again) do a lot of cutting, which made it semi-useless. You could set up a PPP dialup with netcfg (kppp was a buggy pile of junk at the time, and of no use). But, if you booted it off a CD, it took forever to boot, and it couldn't save any settings.

    Linux on PowerPC still has to contend with users who have HFS Extended formatted drives. HFS Extended, or HFS+, is a more efficient disk format than Apple's original HFS, the Heirarchical File System. (Anyone else remember MFS?) Most Macs now ship with HFS+ formatted HDs, and Linux can't boot from a live filesystem on an HFS+ disk.

    Live worked better than Lite, but only slightly. I never had problems with it (that is, it booted, it ran), but it just wasn't usable for much.

    The good news is that doing Live provided a lot of solid R&D ground for us to do our current release's installer on. LinuxPPC 1999 (and the new Q3) can boot right from the CD-ROM, into Linux, into X, and into the installer. And it's all under the GPL. C'mon, Caldera! You made such a big deal about releasing Lizard under a semi-open license.. let's see you go all the way. ;)

    Live as a standalone distribution isn't a totally dead concept, though. It's got a lot of merit, and it's served nicely as a proof of concept for the live filesystem. It's not perfect, definately not ideal for power users, but it's a good way to get people into Linux with a minimum of fuss.
  • Is it so hard to add a little bit of documentation to explain what these daemons do/used for, and why an average user does/doesn't need them? Either right on the computer screen or in the text manual. I haven't installed any newish versions in a while so I've no idea if they do any of this yet or not. I think this would be way more valuable than a separate installation that just hides these dameons from the user.

    My parents eyes glaze over when I talk about computers to them, but I know both of them are smart enough to read a few paragraphs that an installation program SHOULD have in order to understand, for the most part, what they're doing.
    Also, they know that they'd be better off in the long run to do a little reading so they have an idea 'what's going on' with the computer later on.

    The more information that the newbie can learn/understand, the better off we all are.
  • I agree that the user NOT knowing about root is patently BAD. At least tell the user that they must now enter a root password, AND WRITE IT DOWN, and DON'T FORGET.

    Couldn't this be fixed with RunLevels? Couldn't you just set up the box to boot into X under a certain user?
  • It's not always that bleak. At the University of Cambridge [cam.ac.uk] the computing service [cam.ac.uk] regularly scan the network [cam.ac.uk] using a variety of tools (including script-kiddie ones) and do their best to make sure that vulnerable machines are fixed.

    This isn't a perfect solution, of course, but it does mean that most of the exploits in common use won't work against most machines in Cambridge. There is also a site-wide firewall that is used to block some services that are regularly abused.

  • Yes, sort of.

    The phrase that I hate is: "And now, faithful readers, I shall commit the ultimate heresy. Windows NT is way out in front of Linux in dealing with this problem--at least in theory".
    Just how much netbios traffic does one get due to silly windoze lusers enabling netbeui/netbios and/or IPX/SPX traffic over their dialup connections?
    That alone is reason why linux is inherently "better" - at least some distributions come with an /etc/hosts.deny that blocks non-local or "PARANOID" incoming IPs, and install nmbd to run out of inetd. (I have Debian 'Potato' in mind, just before you ask...)

    NT is not hard to spot remotely, and not exactly hard either to crash or crack. nmap & search engines on "+NT +exploit"...

    As far as linux Lite goes, folks here are right - who on earth would buy a "Lite" edition?
  • A good place to start would be in the following two files:
    /etc/inetd.conf - Turn off the services you don't use.
    /etc/hosts.deny - Limit the IP address that connect to your machine.

    That'll keep most of the losers out. Remember that programs like sendmail and sshd, which are generally run as a daemon, and not from inetd.conf do not have the protection offered by hosts.deny. Well, there are man pages for both, so read up. :)

    Mike
  • Okay, that's a great solution, but what if your campus is run by morons? I mean, hypothetically. :)

    Suppose you're at some campus... M$U, for example. Their NT boxen-farm gets hacked as a waypoint for some script-kiddie, so that they'll be that much harder to trace. Of course he wipes the logs. The problem? He jumps through a Linux box on campus to get to the NT boxen. A Linux box owned by a well-respected (and technically proficient) RA, who missed one security upgrade, because he was out of town for a week. The script-kiddie subscribes to bugtraq, too. The script-kiddie punches in, and eventualy brings the wrath of a foreign nation's intel service down on the college. Apparently the script-kiddie knows his shit, and isn't so "1am3" after all.

    What's lame is that the RA gets kicked off campus, ethernet revoked, and a big black mark on his record (remember he was out of town for the week... in the middle of the woods with no internet connection, too).
    The Luddites on campus get their own security shamans to close all ports numbered higher than 100 or so. Close. Shut Down. SSH, Telnet, and web access, and that's it. No online gaming anymore, no ICQ anymore, no IRC anymore. Firewalls were discussed, and dismissed as "too difficult to implement."

    How did the Linux box get broken into? A backdoor having nothing to do with the higher ports. How did the NT box get broken into? Script-kiddie tools very commonly available... I had heard it was BackOrifice.

    (I'm sorry, it would have been BackOrifice... if this weren't a totally hypothetical case).

    The short of it is:
    What do you do when your network is run by folks who cut off their arm when they get a papercut on their shin?

    Since protesting doesn't work, how can I get full access back without hacking?

    Why does such a "big name" school not have "halfway intelligent" sysadmins who can make "well thought out" decisions?

    The answer? I'm up a creek until someone comes up with a better way to secure a network, and makes it easy to maintain. Even though most sysadmins are brilliant techies, there are many who are morons. Good security needs to let 99% of the well-meaining morons defend against 99% of the evil geniuses.

    Sigh... sorry about the rant.

    -jurph
  • Sigh... sorry about the rant.
    It sounds bad. I think we're quite lucky in Cambridge; the Computing Service is by and large very good.

    We have an interesting arrangement in the University as far as computing is concerned. The Computing Service provides central services (the city-wide network, a central mail store and switches, a central Unix service, printroom facilities, archive services, etc.), but the various Colleges and Departments (and the University administration) are all responsible for their own systems. It has the potential to get very confusing, but in practice seems to work very well.

  • Yes, you told a sad story, but an unencombered ethernet (i.e. no firewalls) really is a great learning exprence for lots of people. when I was a freshman we had this one guy on our hall who would hack us all the time. It was pretty funny. One day my roomate distracted him while I took a boot disk into his room and changed true to queue an at job to call him a dried up stinky dick licker. Ahh.. those were the days. Anyway, I'd recommend for schools to take a mostly hands off aproach to student personal computer usage. Maybe run the script kiddy tools against them and email the system's owner.. and maybe make recomendations for people to run a Linux Lite if such a thing exists in the near future.

    Jeff
  • Partitioning would be one of the last steps -- that way the partitioner can offer a minimum size.

    That is SUCH a good idea! Choose your packages and then be shown a virtual du of your potential directory tree. Then you could make intelligent decisions about how to partition.

    Are you distro makers listening?

  • Very cool, this is exactly what I was looking for! Thanks a million...

    Jon
  • This is what the bastille Linux distribution has in mind -- an Linux distro which a sysadmin can give out to his users to install, without worrying about a bunch of security updates, locking down daemons, and all the riff we all love to hate.

    http://www.bastille-linux.org/
  • I was just talking to someone about making a spinoff distro of Debian called "Snack Cakes", as in "Little Debian Snack Cakes". Or just "Little Debian". Of course, then we have the whole "Big Debian v. Little Debian"
  • Sure, and then they discover the data on the floppy somehow became corrupted. Or Sis had to use a floppy for her school project so she formatted it and walked off with it...

    It's not like without this stored password the root account is forever unavailable. I have a strong tendancy to forget my root password since I use the account so seldom. I therefore know how insecure any machine is when you actually have physical access to it. But having said that, this solution has a few big flaws.

  • (I am no expert, please bear with me ;-))

    IIRC inetd is turned on by default on Redhat. The newbie thinks "Great, Internet, I need that".
    Trouble is that /etc/hosts.allow and /etc/hosts.deny are empty and /etc/inetd.conf has turned on ftp and pop by default.

    I mean, what's the use of all those security updates and fixes if the worst holes are provided as an installation default? And with services like dynIP [dynip.com] the problem even gets much worse. In its current form Linux is pure dynamite in the hands of people that have no idea of how to smell the fuse.

    The author's proposal of having server and workstation editions will at least work for the sensible portion of new users. The rest will have to learn by error, I am afraid.

  • by ColonelNorth (71286) on Monday September 13, 1999 @07:51AM (#1685013)
    So you arrive at college to move your junk into your dorm room. You notice a little jack in your wall that is too big to stick your telephone plug into and see the word DATA above it. After asking someone, you find out that it's an Internet connection. Not only that, it's *Really* fast and always connected. A sence of freedom and superiority overcomes you as you think of all of your friends with little modems. You can't wait, and run to the bookstore to get the "Network startup kit."
    Opening your machine for the first time made you nervous, but after all, you have "ethernet" now, so you can't possibly go wrong. Magicly enough, Windows properly finds your new 3C509 and sets it up. You begin playing around with the network settings based on the little numbers you find on your dorm network setup paper. After a reboot, you fly into Netscape and get lost in the web, watching things come at you with blinding speed. But you want more.
    You meet this scruffy, withdrawn student down the hall. You know he's the resident computer guru, so you ask him what else you can do to have fun on the internet. He gives you a long hard look, not sure just how bright you are. Unknown to you, he has been evaluating your intellegence since day one, along with the rest of the incoming freshman. He sighs when he realizes you are the least annoying person in your pack. "Linux," he says. You turn to him with a quizical look on your face. He points you to linux.org and tells you to look around. You jump to it.
    Around 2 AM, your Debian install is complete. You had another hard drive lying around from when you had your machine upgraded, and an engineering major installed it and made it go. You choose debian because of the FTP install. You wanted everything to work without waiting, too impatient. Once it's set up, you leave your machine on as you go to bed. You logged out, and felt important doing so.
    The morning brings around the first day of classes. You give your friends your 'New' email address and brag about being able to get your own email without having to use the Campus system. You don't know or care how sendmail works. You know, however that it works, and that pine is rather nifty.
    As you walk in at night, exhausted from a full day of work and play, you hear your hard drive going a mile a second. You walk over to log in, and find your password changed. You're completely lost and have no idea what to do. You yank the magic cable out of the wall and turn off the machine. You remember that you can still boot to Windows, so you do. Ahh, safe, you sigh.
    A week later, the scruffy geek comes back to your room with your hard drive. He had taken it, at your request, to find out what had happened. He snorted, and asked you what business did you have running NCSA HTTPD. You shrugged. He looks over at the wall. He looks confused and exasperated. Unbenounsed to you, he's having a chicken and egg argument with himself. "He needs to learn before he can use this stuff. However, he can't learn without using Linux."
    He turns back to you. "Ok, I'll secure this system for you. However, this is a one time deal. I'll answer your questins, in brief, but I will not do anymore for you. Do you understand?" You nod. He returns your harddrive the next day. You're happy as a clam that everything, as far as you can tell, is just as you left it. What did he do? You let it escape your mind as you look at this neat thing called IRC.
    Two weeks later, your hard drive is wiped. Unknown to you, another daemon, this time sendmail, had a Cert advisory posted, and you pissed someone off on IRC. The wrong person.

    I hope you enjoied that little tidbit. This happens way too often. However, in reality, people's college boxes just become hideouts for script kiddies. I believe a condenced Linux Workstation would be extreamly useful. I wish I had one when I started. I, instead, was baptized by fire.

    Mike
  • There are two assumptions being made here that I am not sure are universally held.

    First, that "we" collectively want people who refuse to read documentation running Linux.

    Second, that "we" are striving for universal use of Linux.

    These are contrary to the things that drew me to Linux in the first place. I started using Linux (and reading /. and hanging out at #linux) because every illiterate monkey who considers himself a "computer expert" doesn't. The OS sucks less, and so does the community. Now there is this big push to get "every computer" running Linux. World dominance is a Microsoft value, not an open source value.

    I am not against making Linux (and associated software) easier to use, I am absolutely for it, but I am for making these things easier as one element of making them better. I am against making it easier to use at the expense of quality. I think that we need to be ever vigilant in this regard.

    "Is ease of use more important than quality?"
    "No. Quicker, easier, more seductive"
    "But how will I know good ease of use improvements from the bad?"

    You will know when your goal is making software better, not driving it on to every processor in the world.


    My $.02

    -Peter
  • This is what it is going to take to get Linux into the mainsteam.

    As much as we would all like everyone to RTFM, it will never happen. The "average" home computer user never will read the manual. He/She just wants to get on thier computer and have it work. They care about the *apps*, i.e. the browser, word processor, spreedsheet, etc. not the underlying OS.

    I know there have been times that I have installed RedHat or Slackware and really wanted the *easy* install option. Just press a button and go. It takes a while to configure and secure a box.

    When I first started messing around with Linux I didn't have to worry about security because I wasn't wired 24/7, and had to share a line with roommates. I had time to learn the systems ins and outs *then* not until the past few years have I had to start securing my box.

    You have to put yourself in their shoes. They want to use this wonderfull OS but first they gotta catch up on months/years of knowledge otherwise a bunch of script kiddies are going to take over my machine!! Not going to attract many people that way.

    Give them Linux Lite, let them learn by exploring, then they can start expanding their system and grow with it.

    ok enough ranbling... please excuse the spelling errors, it a Monday!!

  • "Why don't distros install ssh by default ?"

    Largely because "certain" countries don't want it that way, hence make it illegal to "export" reasonable crypto-enabled apps.

    Most distros attempt to appease these "certain" countries so they can be distributed from there, so they suck up by removing anything with reasonable crpyto. You want secure computing to be the norm? ... Write your legislator regularly to get ridiculous legislation changed.

  • "World Domination" is NOT a goal! The term arose from a comment Linus made *in jest* and some humor-impaired persons took it as gospel. :(
  • Where are my moderator points when I need them? :) This post truly needs to be a 5 minimum.

    However, this isn't solely a "me too" post, since I disagree with one point the AC made. An MTA is needed for most installations. Not only is it needed for outbound mail, but fetchmail sends to "localhost" by default.

    Hint: there is a reason RTFM became a cliche in the *nix world. People unwilling to learn shoudn't be on a powerful OS, they should remain in their various sandboxen.

  • I don't really agree.

    I know more than one person who felt that they
    wanted to install _everything_ on their workstation machine, so they wouldn't have a problem loading it on later if they wanted it later.

    One person actually started digging around researching how to get into the DNS with his spiffy new named. Not because he needed it, but because the "everything" install included it, and he assumed, in his newbieness, that he needed to use it.

    I'm somewhat tempted to do the same thing, but I don't. For example, if I installed a server machine without a news server, and later decided I wanted to make it a news server, you no longer have that slick GUI to load it in for you, you have to rpm and stuff. It's natural, under those circumstances, to be tempted to load in the news server just in case you might want it later.

  • Personally, I've been thinking about this and a few other things as well. The idea of a simple, secure, 'lite' distro is an alluring one, but as we've seen, there's no need for it to be an entire distro. What we need is for the installation options to be improved even further. One of the beauties about a linux distro is that every copy can be either a workstation or a server. What needs to happen is to continue to improve the installation programs. Linux installation programs could explain everything in a depth greater than we've seen in any previous setup util for any os, simply because of the massive amount of information available. An installation that could tailor exactly what is needed, based on computing need and experience, with a level of realtime help previously unheard of, is exactly what the os needs. With a tool like that, at the time of install, users would have a complete, powerful system, at startup. And there's no reason to have it stop there. Looking at SuSE's yast, I think we see the beginning of this process. But imagine a setup tool even more powerful and flexible, which could perform various types of automated updates, and search for information and help. It's a kind of killer meta-app, something that enables a user to take complete advantage of his system. I think the linux community has the basic elements already, and it's the only community that could provide anything like this in the near future.
  • This is not uniquely a Linux problem. Solaris, Irix, FreeBSD, etc come with a million services enabled by default. OpenBSD has it right--disable *everything*, and then turn things on specifically. The people who don't know what httpd and bind are don't need to run them. It's a simple as that. The people who do know what they are know not only if they need them, but how to turn them on or off.

    RedHat has a good start but it could be taken further--the installation does ask for a server or workstation setup. What it should do is make you specify "server" as part of the Expert setup--a parameter you pass to it when you begin the installation.

    The author raises a very important point--as "the masses" are becoming more and more interested in Linux, and it is becoming increasingly less rare for people to be using it, it behooves the distributors to create distributions that are secure by default. In fact, I can think of no reason not to create secure distributions under any circumstances. Especially with the newer, graphical control panel-type administration tools, where turning services on and off (like sendmail and http) is becoming point-and-drool easy.

    Is there any reason to have login, exec, rsh, wall, httpd, finger, and bind on the average workstation, even one connected to a network? Not really. Probably not at all; in these days of NIS and NFS, many services need only run on one centralized server.

    darren

  • One other thing which I don't see mentioned yet: I think this hypothetical single-user distribution would do well to tweak the multimedia settings (although just turning off all those default services might be enough to provide non-jerky video playback :)
  • HU? Every person I know of who doesn't know what ls does also doesn't know what dir does either. There are very few dos users anymore (this is a sad sad thing) and of them most atleast know enough unix to know ls and even a few process control functions.
  • Well put. The reason that Linux is a good operating system is that is like Unix. Unix at home can be a bit like flying a kite indoors to the savvy user; its power comes from the ability to have 100 luser accounts and one wise guru account... in that instance none of the user needs to be particularly familiar with the system, and it can be as user friendly as the admin makes it.

    There is no such category for the home user. You simply must be the wise guru person, or you should be running Be or something instead. The consequence of letting people water down the OS alarm me.
  • Yeah you know, I'm a Linux newbie and I agree with you. Although the author of the article makes a good point, it's just as easy to install Linux without all the "complicated sysadmin" stuff, and all that stuff's fun to mess with anyway : )
    Besides, Linux folks are very nice and helpful when newbies like me have a question. There's lots of support out there...nothing's all that difficult.

    miyax
  • Yeah it's the right idea, but RH doesn't implement it as well as they could, because the user's account has *no* rights to anything except /home/username. They can't mount their Windows partition or use files on it, they can't configure or install software packages, they can't even dial the modem or mount a cd-rom without logging in as root. That's why many users run as root all the time -- it's easier than figuring out permissions. chmod is not terribly intuitive, and I have yet to find an explanation of the numbers.

    A single-user workstation needs to, by default, let that user do most workstation tasks, just about anything except deleting the kernel or unmounting the swap partition.
  • I completly agree with you. Lets call it Ultra instead of lite.. hehe JK thats a bit far..
    Umm how bout Distribution Desktop
    or maby Distribution User Edition.

    (replace Distribution with your favorite distribution of course.. as in RedHat User Edition.)

  • The trouble with the LinuxLite suggestion is that it violates the architectural intent of Un*x, which is meant to be a networking, multi-user OS and is designed on those assumptions.

    People have already noted all of the problems with lacking a root password, etc. These are reflective of an underlying problem -- we are asking Un*x to do something it was never designed to do. Microsoft tried to take a 16-bit, single-user, single-tasking system and make it into a 32-bit, multi-user, multi-tasking OS -- and wasn't the result just grand?

    If you want a solid, nice-looking, single-user OS with GNU tools and good security, try MacOS or BeOS. I run Linux by preference, but I use Be and recommend it to inexperienced users who won't abandon their old x86 hardware :). Each system has its place.

    --

  • Stop the flame war, I have a point.

    This LinuxLite is Yet Another Option, and Linux has ALWAYS been about options, so don't yell that a trimmed version is evil, or foolish, or that people should all RTFM.

    Mainly, because yelling won't make them.

    His point is good and valid, and if following will bring us more linux users, then lets do it. The whole point is MORE. The evolution of the system is driven by numbers, and an uneducated linux user can only become one thing: a more educated linux user. But first, we have to get them on the system, and we have to get their resources to support the system.

    And there does need to be a LinuxLite ONLY Cd, because we want them to play with it, but we don't want them to hurt themselves, and we dont want to scare them (so no "Experienced users ONLY" options).

    If Linux is a tank, think of Linux Lite as the Poeple's Car (the Volkswagon). It is built around the same ideas, but is simple enough to be understood JUST by taking it apart, and is straightforward enough, that a newbie can put it back together.

    -Crutcher
  • yeah, try ALL: ALL
  • I use 'autorpm' to keep stuff updated. For background updates, it works fine, e-mailing me progress reports, but the interactive mode it uses to install new packages is just horrible. I haven't looked at the Mandrake-update program, but I suspect it behaves similarly.

    Additionally, it just uses RPM's upgrade facility. It would be very nice to have a global configuration mechanism so that one could configure a new package at install/upgrade time (or at least select from multiple pre-written configurations). There are already some efforts on global X-based configuration programs (dotfile I think might be one such effort), but it hasn't quite made its way into a large enough chunk of packages (it might not be flexible/powerful enough for large apps that have complex configuration systems, such as sendmail or Apache).
  • I am a little annoyed that so many people have the same attitude as you do towards software development, the "it wouldn't kill the user if..." attitude.
    Keep in mind that for most people, computers are tools, not toys. And why shouldn't software be dummy-proof just like other tools? Imagine if everytime you bought a new toaster or a new television you had to read a long manual, and then spend an hour or two setting it up, and then weeks or months learning how to use it!!
    Think about it. How many people do you know who say things like "I'd use computers more often, but I can't figure out how to boot the internet" or "I'll start using computers when the become easy to use". We need to start making software intuitive for the computer-illiterate!!
  • I've actually been interested in Mandrake for a while. I just hope their Linux distribution skills are a lot better than their grammar and spelling skills. :)
  • I think that the author's concerns could be addressed with probably a bit more work on Red Hat or Debian's part. With tools such as Linuxconfig, the ability to enable and disable demons is a mouse-click away. What naive users need is more information on just what they might need. I could see, for example, a naive user wanting a web server, but not an ftp site or a telnet server. A wizard-like interface that 1) explains what the capabilities of the software is 2) when you'd want to use it, and 3) what vulnerabilities it has would address the naive Linux user.

    The thing that I'd really like to see is some sort of automated security updates. What this would entail is a demon that hits the distribution's web site (using secure channels and authentication) to see if there are any "emergency" updates to packages. If there are, the system can go ahead and automatically upgrade, or prompt the user to upgrade, or whatnot. The user would, obviously, choose at setup time whether the demon runs, and whether they will accept the automatic upgrades.

    I know Mandrake has an update system that is invoked manually (I haven't tried it yet). A bit of an extension to the system could let you do these emergency security updates. Of course, sometimes upgrading a package is not fool-proof...

    With DSL and cable modems, I think more people are going to end up running not just workstations, but also servers. I don't consider myself a sysadmin by any stretch, but when I get my cable modem, I do plan on having a PC on the net 24x7 to act as a personal web server, maybe an FTP server, perhaps a MUD, etc. While I know enough not to run demons I won't be using, I also don't want to live in fear that a security hole will be found and a script kiddie with exploit it on my system when I've got my back turned (say, when I'm on vacation). An automatic update system would be helpful.

    Also, a security evaluation system would be handy, to determine if you have screwed up. The distros could encourage people to run these sorts of things on their PC's after they have set them up, to catch any of the obvious mistakes.

  • I submitted a suggestion like this as a RedHat bug (ID 134 [redhat.com]) awhile ago. The response was not exactly overwhelming.

    The RedHat workstation/server difference is helpful, but not enough. We need an option to install the RPMs but not start the services. And I think *all* listening ports (except maybe telnet) should be off by default.

  • I agree that the article is exemplary in it's suggesstion, but I don't think having a "stripped down" anything would be a good way to go...better still, have a distribution that would be setup by default with minimal requirements for users , but leave everything else available, but inactive, until users can figure out whoat it is, and how to use it properly. This might encourage some to do some more work, and build a better user.
  • How about Server and GUI for the identifiers? It's kind of silly to have X running on a serious server, and it's quite unnecessary as you can admin it remotely and it needn't even have a _monitor_. Conversely, what could be more attractive and appropriate to the lusermentality than choosing between 'unpretty' and 'GUI'? No way would most of them pick 'light' or 'restricted' but give them a choice between 'server' and 'GUI' and they will _leap_ on 'GUI' uttering cries of delight. It's all in how you phrase it. Problem solved.
  • Well yes, but more point was that the people who know what dir is over the past year or so of linux advocacy have learned atleast that much.. and usually have seen a shell prompt at some time.
  • Ok. So your hammer (you're not a proffesional carpenter are you?) will protect you from hitting your thumb? And keep you from bending nails as you hammer them in? Or mabe it refuses to hammer in nails at all, for fear you'll hammer them all the way through into the floor.

    Making things simple to use is great. And having a good, clean, secure base setup is extremely important.

    But the computer *is* a tool. And you have to know how to use any tool or you can't use it effectively. That's the flip side of this dumbing down business -- it discourages users from ever learning to use their computer effectively. This idea that you can have a powerful tool without risk is ridiculous. That users expect this is a mistake on their part. That system designers who should know better cater to this mistake is idiotic and shortsighted. You expect this sort of thing with comercial OS's, but OSS is supposed to be able to take the longer view.
  • Your Linux PC is not a toaster... Toaster = Gameboy Tetris (anyone who can't operate one isn't a fully functioning member of society)

    Video = N64 (most people can get it to work, but they don't know how or why it does what it does)

    Private Aircraft = Linux PC (anyone can be taught to fly one, but they may need constant supervision, and they're pretty likely to crash it)

    Society doesn't always handle tech well (the idea that everyone should be encouraged to operate 100kph 1000kg machinery in populated areas is just craziness, and it's a tribute to human ingenuity that we've made it as safe as it is to drive a Car)

    Today's attitude to computers (Uh, I deleted it, how do I get it back?) is just a less extreme example of this in action, and I think it's pretty sad to Dumb Down Computers just to let people be more lazy...

    That said, I support the idea that Out-of-box Linux should not be set up as a fully-daemonized Unix if it's intended for desktop users, if you really NEED an SMTP server you can read the paragraph which tells you how to activate the damn thing.

    Nick.

  • OK I'm going to go under the assumption that by "people like you" you are of course not literally referring to me. If I'm wrong in making that assumption, please let me know so that I can respond in a more direct fashion.

    ---

    If they can't be bothered to learn about the software they want to use, we don't need them.

    This is *not* the attitude to take. If we continue to cater only to the technically savvy, Linux will remain a niche operating system used only by the technically savvy. Its growth will slow, and fewer people will be interested in learning to use it.

    The current trend for computers and operating systems is for intelligent, autonomous simplicity. Some people call it "dumbing the PC down", others call it "creating an intuitive user interface." The types of people that need these interfaces are going to be the types of people that have the hardest time manually editing configuration files and "learning" an operating system's internals. These are the consumers. These are the people that make up the vast, vast majority of the operating system market, and if these people are unable to make use of an operating system that is unable to present configuration options in an intelligent, simple way, that operating system will lose market share and remain in a niche market forever.
  • Yes, there's probably not a real reason to have a lot of the 'default' daemons running - especially for the average user, and yes, Linux should install fairly securly by default, but one have seperate versions ala workstation and server? I don't think so. The installation program should be able to handle a lot of this - and, I personally, believe the user should have some clue what's going on- that may require some reading and understanding on what the installation program is asking. Would reading a few paragraphs kill anyone? Perhaps it would be nice to coddle new users with a 'dumbed' down version of Linux, but why not try to get the user to learn a little bit - that way there's a more intelligent userbase to work with.

    It seems that way too many things are 'dumbed' down or over-simplified for the 'average' user - it makes me sick.
  • Dispite the general distain towards the folks, this seems like a great place for RedHat to come into play. For most newbies coming into the flux, they know of RedHat, they might even trust RedHat. So why not have a RedHat Lite? Cost less mayhap, perhaps it just comes on another CD in the standard install. Or just have a "presets" menu in the installer that has such things as "Secure", "Web Server", some pregrown installs that'll all work peachy.

    Supurb idea, and an absolutly needed before Linux can be for the average folk.
  • by Anonymous Coward
    debian comes with a default hosts.deny file of ALL : PARANOID. That way, if you want an inetd controlled service open to anyone, you have to explicity open that service. More distributions should follow this lead.
  • I think that this issue will become more important as we get away from PPP and move towards cable and dsl. The person who wrote this article was fortunate because he realized that someone was logged into his machine, but if the average user walks away from his/her machine at home, then Bad Things can happen without the user knowing it

    All computer users need to be made more aware of security issues, including those running Windows. I have a friend with a cable modem, and just for fun one day he decided to see how many Windows shares were available to him on his network. He was able to get, among other things, someone's tax return because of a share that user left open.

    Ouch.
  • by Paul Crowley (837) on Monday September 13, 1999 @06:45AM (#1685070) Homepage Journal
    The basic idea is hard to fault. A few caveats:

    (1) There's no need for entirely separate distributions: a radiobutton selection in the install dialog about whether you want the default desktop edition or something fancy would do.

    (2) Firewalling the PPP device by default would help. A *lot*. Just bar incoming TCP connections and most other stuff and a lot of script kiddies get shown the door.

    (3) The biggest helper would be if these distributions installed fewer packages! I've installed Debian umpteen times, and I've grown to loathe dselect. The best thing would be for distributions to install a minimum set of recommended packages at install time, enough to get online and browse the Web and read mail and news, and then let them get used to it. Another day, they can learn about making Web servers available and suchlike: a simple, secure base would be an excellent place to start.
    --
  • yeah, i scratched my head wondering the same thing. How about this? When you insert a blank floppy to create a boot disk, it assigns a randome string as the root password and saves it on the boot floppy. Then, when the new user finally gets around to doing something that needs root, like installing an RPM or something, the manual tells them to insert the boot floppy and then something semi-automated comes up to prompt them to enter a root password?

  • This is a very good idea. Forthwith, a few thoughts:

    The users do need to know that there is a root account, and know the password. They need to be educated at least to the extent not to stay logged in as root. Many NT users have been able to grasp this; Linux users should, too. And as someone already pointed out, otherwise there will be known default root passwords, which is a Bad Thing, Man (tm).

    In reality, all distributions should come with the default configurations a bit more secure. Maybe not to the level of extreme paranoia, but to a reasonable degree. Let's be honest, we sysadmins aren't perfect (although we want our users to think so). It's possible that we could forget to configure something when installing a new system, or erroneously assume that some option is already set in a secure manner when in fact it's not.

    This will have another, non-technical effect. Once the mainstream media picks up on such a distribution or effort, that's going to entice more users (and corporate managers) to consider it a viable desktop option. I'm all for users learning more about what they're doing, but I've met too many customers who asked me, "What's 'double-click' mean?" to believe that this could ever happen.

  • by Bruce Perens (3872) <bruce@perens.com> on Monday September 13, 1999 @09:00AM (#1685077) Homepage Journal
    Debian and Red Hat already support installing a system without network servers, or with only the network servers you ask for. On Red Hat this is one check-box, not a big deal to do. If you install a system that way, there isn't really anything different from a system that's "optimized" for the single-user desktop.

    The author seems a bit systems-administration-naive to think that you'd have to design a special distribution just for this.

    Bruce

  • ... Almost!

    Mandrake has the main install categories (server, workstation and custom), but not the subcategories.

    The package categories are almost like it.
    And it has Mandrake-update: You start it, it fetches the list of mirrors of the FTP site, let's you select one, then fetches the list of RPMs to update, you select the ones to get, it downloads and installs them, and you're set.

    Now, they're preparing the next incarnation, we can suggest this to them, it shouldn't be hard to implement.

    "Now you can see that evil will triumph, because good is dumb!"
  • by stevew (4845) on Monday September 13, 1999 @06:51AM (#1685095) Journal
    First - I agree with the author. Why does
    should a system come out of the box running
    httpd, ftp, or whatever?

    The OTHER problem that stops us from
    world domination is the GUI! X can be
    impossible to get working - especially
    on newer hardware(My EOne for example)

    A couple of days ago there was an announcement
    here of yet another distro that takes care
    of one issue: http://www.demolinux.org

    This distro runs exclusively off of a CDROM -
    you can take linux to any machine! One of the
    tricks they pulled that got it to run on my
    EOne that neither the latest RH, Mandrake, or
    Suse could do was bring up X! They used the
    new Frame Buffer server. It isn't accelerated
    but it works GREAT! So if the demolinux
    people were to go a step further and tighten
    up their system to not have a large number
    of separate demons running - we might be
    pretty close to what the author was asking
    for! (Actually haven't looked at what
    demons they HAVE enabled on this distro -maybe
    it's already there?)

    Steve
  • And don't just restrict this to a standalone desktop issue, either. What I'd like to see (since it's what I need right now) is a distribution that specifically sets up only those services needed for a home/office internet gateway (and possibly SMB file and print server, too).

    Most distributions should be geared specifically toward a specific usage profile -- very few distributions should be the "general purpose" setup for tweaking by experts. From a business standpoint, give the consumers a tool they can use easily -- turn-key solutions are what seem to be wanted by the general public (as opposed to the subset of people who like to tinker around with their systems).

  • by messman (32358) on Monday September 13, 1999 @06:54AM (#1685099)
    What is really needed is a good distro that takes care of installing everything properly. Most distros are just focusing on showing nice installation menus and all that crap. The current trend seems to have forgotten what's important and what's not. Distros are sending new users the wrong message: it seems to be more important to have a flashy and colorful desktop than a robust and secure box.

    While I understand they do it to attract Windows users it is becoming a very dangerous game. The solution is not going even further the Windows way, as the article suggests. The only real solution is that the distributions stop focusing on copying Windows styles, looks, feels, sounds, etc. and start focusing on these points:

    • Good comprehensive documentation, including overviews and guides to the software they distribute. Besides all generic documentation which comes with a package there is a need for each distribution to explain what is included and why, how the packages included will help the user, and which packages should a user install to accomplish what she needs.
    • An installation system which educates the user at the same time it installs the packages. It should guide users so that they choose the installation which best fits their needs, avoiding the current install everything approach.
    • A good admintool which takes care of all the tedious system administration tasks in an unobtrusive way. It should perform all necessary security checks and monitor the system periodically.
    Of course, these are the ultimate goals and it would take time to reach them. However, while some distros are at least partially working on similar projects, most are not. If new Linux boxes are insecure it is the distros fault. No doubt about it.
  • red hat lite is a great idea but the funny thing is that if you market something as "lite", you expect less features for less price. great for most products unless your product is support (a la redhat & every other linux distribution) red hat should be charging more for a red hat lite because the newbies are the ones requiring the most tech support.
  • I supppose I was trying to refute the comments about "the typical user" when I started to reply to this, but now I have to say that I'm in agreement.

    I started my time with Win 3.1, and tweaked that to death, then moved on to Win95 and played with that for a time. Up until this time, I had been your typical user, unwilling to dig too much further.

    My experience with NT over the years has taught me some valuable lessons.

    * I have a user account on my machine instead of logging in as the Admin. I've set up the desktop and start menu on the Admin account with items aimed at administration [doh].

    * I set whatever services I may run to manual, so that I use them only when needed.

    * The C: partition is for the OS and programs only. All data is on the D: or subsequent drives.

    I'll be damned if that isn't the successful recipe for a Linux box as well.

    I'd have to say the first few chapters of the Red Hat manual were invaluable, and ought to be required reading. It isn't that difficult. And if you're not careful, you just might learn something.
  • "Nobody" may need to be concerned about security if your computer is never plugged into a network such as the internet.

    However, as soon as you dial up your ISP, not to mention connect a cablemodem, you would be well advised to be concerned with security.

    Even if you have nothing but valueless games on your personal computer, a malicious cracker can still make use of it as a depot for warez and pornography, and they can also use your computer as a launching pad for attacks on other systems. Some people will try and damage your computer simply because you live in (insert your country here).

    How would you like it if your computer was seized by the feds for evidence because a malicious person used it for illegal purposes?

    Everyone who is part of an worldwide electronic community should be aware of security (and privacy) issues. You don't have to be a security expert, but you should at least go in with a cautious attitude. In the end, you are responsible for yourself.
  • I mean in Windows the big deal is *poof* its there and its helped me. I mean if we ever want to survive this war the answer is standards, standards , standards. We need to have a better installation precedure, not just for the distro, but say for Quake3 , if i'm the average user I want installation to be simple. I mean do I really need a 12 step procedure, including mounting a cdrom changing up directories, copying the windows "content" files to the right place, downloading the linux binary, etc. AWW! This should be point and click, a BOOM your there. This should all be standardized too. What are we doing worring about the correct definition of open source so we can scold someone who doesnt do it exactly right, or having flame wars of Linux vs. xBSD? Lets make all our shit work together, and make it easier for the rest of us.


    sorry about any errors,
    rob
  • Redhat has been asking users whether they want a server, workstation, or custom installation for a while now. Anyone know the specifics between the server and workstation. I fear it may only be Gnome/Kde or no Gnome/Kde; but hopefully it rips out sendmail and some other nasty daemons.

    What would really be appropriate is if distributions could package in ssh, but then we run into export problems - i assume, only because I know redhat doesn't come with ssh - but maybe that's the ssh people being uncooperative. But really, does a home user even need telnet?

    Joseph Elwell.

Real programs don't eat cache.

Working...