Linux Lite? 170
smock writes "An interesting (and, IMO, excellent) suggestion is over at Linux Journal. " Essentially, an argument for better opening security, given the lack of experience of many new Linux users.
This discussion has been archived.
No new comments can be posted.
Linux Lite?
Related Links Top of the: day, week, month.
A morsel of genuine history is a thing so rare as to be always valuable. -- Thomas Jefferson
Re:No Root? (Score:1)
No, you're absolutely right. But, there are a few solutions. First, they could do something involving the serial number on the CD it came on; then, the "now you're ready to be root" section of the manual can say how to use it. Or, you could cast root as something other than an ordinary account, e.g. with a prompt sequence like: "What do you want your username to be? And its password? Now, make up a super-secret emergency password, different from the first one, and type it here: ..." There are a lot of ways you could get a root password unique to the machine such that the "dumb user" doesn't really know what to do with it until they are no longer just a dumb user.
perfect sense (Score:1)
Re:No Root? (Score:1)
Re:No Root? (Score:1)
Re:No Root? (Score:1)
Cases for improvement (Score:1)
Most of the free unices are just that, FREE, how many many of us are prepared to pay somebody or some group to provide clear and coherent documentation of the different tweaks and customisations that exist and are frequently required by the different unices even at kernel level before you even start talking about ports.
To even attempt this task would require the setting in place of some kind of standard that will inevitably limit the flexibility of offerings
Whilst this flexibility itself is both a strength and weakness, I would resist an attempt to change or impose some additional framework upon it that might reduce the variety of tools available to me.
Re:No Root? (Score:1)
Certainly you _could_ be lazy and do it that way.
But you could equally have the root password indivuidually tailored with each copy of the distro. You know - "root password is on the sticky label inside the front cover of the manual"
kind of thing...
Re:not necessarily a good idea (Score:1)
Although Microsoft badge them as different products - the code is still the same, it's just installed differently. In NT 3.51 you could turn Workstation into server just by altering a registry key. You can do the same in NT 4.0, but you need to kill off a magic thread in the OS which modifies this key if it detects you changing it!
The install program here oculd install the dumbed down version of linux by default - but if they bothered to the read the manual they could find out that if you did "blah blah blah" you got all the really cool server stuff, and a big shove towards the rest of the manual.
Re:Install less, and use firewalls (Score:1)
I've installed debian more than a few times too. dselect really needs some work. Like maybe a complete re-write...
Re: Package **Nightmares** (Score:2)
I discovered (although only recently) that hitting F1 from the dialog where you "choose individual packages" produces at least a semi-helpful description of the particular package. (Actually the contents of the description contained in the RPM package.)
Anyway, I believe RedHat's install is getting better. I fiddled with Lorax (the RH6.1 beta) a little this weekend and I think that the new graphical install will be quite nice when they get it working correctly. Also, the new install options are:
- Install Gnome Workstation
- Install KDE Workstation
- Install Server
- Install Custom
So, more specialized install options is the trend. This is good. Also, install help is printed directly on the same screen as the options. Also good, pending useful help comments.I still believe Linux isn't there yet as far as the novice is concerned; perhaps not even close yet, but it's getting better fast.
Becouse they are alredy too large (Score:1)
becouse on one side, office user doesn't need
number of www servers, search engines and such
and on other hand, guy who setting up headless
www server to put on T1 line doesn't need KDE or
Gnome, or even gimp.
Debian already spans over five CD's (including
non-free/non-US). I suggest even further splitting:
console as installation option)
With such approach each of stripped-down versions
would fit on one CD. Of course, there should
be Linux complete which is mother of all problem-oriented distributions, and may be add-on
CD-s which would allow to add missing packages
to already installed system without getting
whole thing (binaries can be ommited for this CD.
If you have already running system with basic
development tools, rebuilding package from source
is only matter of time, but no need for purcashing
separate cd for each type of processor can be
winning)
Good idea. (Score:2)
Of course if you don't want all this hand holding, don't use it. This is Linux after all pick the flavor that fits you!
The installation program I'd like to see (Score:4)
1. Select a basic "personality" for this system:
a. Server
b. Workstation
2. Select a starting configuration for this system:
a. Minimal (most secure)
b. Standard
c. Custom (for experienced users or administrators only)
You would then proceed to an application selection area, where you would pick some major configuration options (X Windows, Web Server, Mail Server, Games, etc.) and, if you picked Custom, an exhaustive sub-list of packages selectable with checkbox efficiency. Defaults would be pre-selected based on what "personality" you chose for the system.
Basic daemon configuration would be taken care of at this time as well. If you chose to install the telnet daemon, you would be presented with a warning and an option to automatically refuse connections (firewall? TCP wrappers?) from Internet hosts. Repeat this procedure for things like sendmail, httpd, whatever.
Daemon venders tend to like their packages shipped individually with everything "turned on", because in most cases, when the package is being installed, it's being installed by someone who's about to configure and *use* it. This is bad in the cases where someone is installing a new system, because they probably *won't* be jumping straight to the "configure and use" part. They'll install all of the packages and get to them "later." So, if we force them to make configuration decisions at *install* time, and build (or use pre-built) configuration files then, instead of the stock configuration files, the system ends up being much more secure with the user much more aware of what's been installed and how it's been set up.
Along a similar line of thought, and perhaps this already exists, an extension of this installation program could be a graphical "autorpm" of sorts. A program that retrieves from the 'Net a list of updated packages (such as RedHat's updates), and either automatically makes the updates or at least notifies the user that updates are available (a la Windows Update). If the package uses a new configuration file format, a packaged utility should be included and run to convert the old configuration to the new, otherwise the user should be presented with a configuration dialog again to be sure the new package is ideally configured for the system. I've been the victim of several instances where an RPM "upgrade" *overwrote* the existing configuration file (though it did save a backup). In cases where the "default" configuration only differs from the user-specified configuration in that the default configuration is much less secure, the change might not be noticed immediately (or ever).
I'd also like to see warnings where an installed/upgraded RPM is being installed on a machine that previously contained a self-installed copy of the same package. An example could be some HTTP daemon. A quick search for various httpd binaries could let the RPM's installation program know about previously installed copies of the package that weren't done via RPM's and warn the user (perhaps with the option of duplicating the old package's configuration files in the new setup).
Anyways, these are just a few of my ideas, and it seems like we're starting to move in these directions, but the setup programs I'm seeing are just baby steps. Instead of just dropping everything and writing a totally user-friendly setup *system*, we're spending time writing stuff "in between," and I just don't think that's a very efficient way to do it.
It's already there. (Score:1)
It hink Debian will do a better job a bout it. Since they allow you to pick a purpose for the computer, you can then know precisely what not to install.
Imagine that... A user asks not what his/her/its/their computer can do, but ask what he/she/it/they want to do with his/her/its/their computer.
Isn't this what Corel is trying to do? (Score:1)
Of course, we will only know if that's the one when they release the distro. But the other distros would do well in taking a note from this article as well.
Remove duplicate commands/apps (Score:2)
All distribution should be secure at install, it should be up to the user to enable some ports, etc. If the user as enough knowledge to enable the ports he wants, he should have enough knowledge to make hes system secure.
There is a liability issue with this, if a system is not secure out of the box, one could sue the distributor if another one break into the system. Unless the license agreement state that the distibutor shall not be responsible for this.
One thing that all the distros should do, is to clean up the apps and command duplicates.
Why when I install linux I have 3 or 4 word processor, 3 or 4 text editor, several web browsers, 2 or 3 administration utilities than have the same functions, etc.
A default linux installation with most distos take at 500megs to 1gig. This is a lot more bloat that Windows9x/NT.
Why also the installation wizard like Lizard can only be invoked at installation and I have to use another utilities when I add new hardware? There should be a way to invoke the installation wizard to update the configuration.
Re:not necessarily a good idea (Score:5)
While reading the manuals is something we would *hope* everyone would do, time and experience has shown us that it just Won't Happen. We can't just say, "Well, dammit, you should have read the manual," over and over again. We have to build something that will work securely for those that *don't* read the manuals, because there will always be a significant percentage of users that simply won't.
No amount of screaming, shouting, pasting of banners and throttling will get everyone to "clue up" and read about what they're installing, so we have to adapt the distributions so that they will still function for these types of people.
LinuxPPC (Score:1)
Of course, what happens what the user types 'rm -rf
Daniel
Make "Upgrading" easier (Score:1)
I say "upgrade" in the MS-context; it is really easy with MS to just re-install things... that's what their support is built on. BUT, it doesn't scare someone off from the idea that they can always install something at a later date... just as easily as they can now.
I know, i know... there are packages to do it. RPM's aren't hard to use, and I know that there are some RPM GUI's out there, but the what would be nice for the newbies is to just stick that same distribution CD in, and get the whole list of packages, in the same format they saw in thier original install.
One of things that is required for taking over the desktop...
Re:No Root? (Score:1)
without being root. For instance on Solaris
there are bunch of GUI tools, which require
user only to be memeber of certain group to operate them (and they provide some idiot-proof).
So, you can disable root password by default,
and write defauit
user, who perform installation to do almost everything as root. Including changing password.
So when user come learns concept of root user,
he just can say sudo passwd root and gain access.
Or change root password in some GUIsh usertool or
linuxconf.
Note that you should never do normal work in kind
of single-user. For instance I have a sister
(who was total disaster in the time I run DOS on
home machine and father. Both of them use my
machine (from separate X terminals, but this doesn't matter). While they are working under
their own names I can be sure that they wouldn't
accidentely erase my files. But there was a case
when I've accidentely erased 200Kb of fathers files (debugging Makefile for typesetting a book), so since that I have to teach them to use
CVS if they want me to help with their projects.
The *REAL* sollution (Score:1)
How about this:
We make a default install option which only installs user stuff (nice GUIs, eye-catchers, WWW browser, mail etc.) and no daemons and restrictive input IP firewall (so nobody from outside can connect to any priviledged ports or known unpriviledged ports).
Users will select this, and be happy.
For installing additional server packages, server package would need to contain some additional fields. Like questionary.
So, when user (well, root user, actually) tries to install server package, it would be shown documentation, and then would be presented a few strategical questions. If user can't answer them, they are presented a choice wheather they want to read documentation again or quit.
Of course, there would be expert option to auto-install packages from hand-made tag files on diskettes (like in RH, for example) so serious admins could install distros without any fuss, and that would be too much hand-work for typical user.
Excellent idea... (Score:1)
----------------
"Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein
default security on distro's (Score:1)
Re:Redhat installation. (Score:1)
Nice plan but wil it work? (Score:1)
You are basicly trying to protect (clueless?) users from themselves. But being clueless as they are, do you really think that if you hand them 2 choices (full blown Linux / Linux Lite, safer for the newbie) they will actually choose the lite version? No way!
Think about it; why are they installing/Linux in the first place? Most of these people are attracted towards Linux because a lot of people use it and it gets commonly known being 'a more stable OS then Windows'. Put differently; many feel it looks cool to have a copy of Linux on your computer. And what would look cooler; a full blown Linux or a lite version?
IMVHO we are talking about the same people who are using Linux being root only dispite the fact its mentioned all over that you should not. The same people who are running NT Server on their PC because it can even do more things then a plain workstation. People who will not settle for a lite version even if they would benefit from it if they did
Personally I would really like to see how many (beginning or want to be) users installed RedHat 6 as a workstation instead of a server.
Yes! (Score:2)
I mean; us hackers could still fall back to Debian, slackware or whatever, while end users could setup a stripped down version of Linux which would run word processor and other stuff while logging them automatically in single-user mode. I mean, for most people that's all they need.
Linux still sees itself as a network OS, and until some extra effort is spent in making it darn easy to install and run on a single machine not connected to any LAN, it won't catch on completely. I mean, not everyone has a friendly Linux guru to set them up and give them the tour ('Well, you have to use 'ls'. Well, it's possible to use 'dir', but you need to alias it. Let me show you...' etc.)
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
Re: Red Hat Lite (Score:2)
No Root? (Score:2)
Re: Securing Linux (Score:1)
You will also need 'Secure Internet workstation'
I like it (Score:1)
Wonderful Idea (Score:2)
What to do? Give them a secure, stable, preconfigured setup they can browse the net and send mail from. Something you can set up for your grandmother, and it will just plain work. I am wondering who will get there first.
New distro vs. install option? (Score:2)
Then again, a good separate commercial distro might be very good. There's probably enough security issues to merit a company just focusing on that, not to mention if they do it right they'll be proactive about finding security problems in Linux and feeding them back to the community.
Personally I think it'd be nice if Linux took OpenBSD's path of concentrating on security, for example by auditing all code for security problems. But that doesn't look like it'll happen any time soon.
----------
My Experience with such defaults (Score:1)
But from my experience (with redhat) it is very confusing.
In redhat, if you choose workstation you agree to wipe out all of your HD.
Obviously bad for multibooters which are most of the newbies today.
Being that, these users are forced to choose their packages alone.
The defaults in there are quite bad for newbies, and i expect the expert to twaek it's packages
instead of a newbie that doesn't understand what he does.
Then one has to choose his services, which is a disaster when people just choose all "because it can't hurt",
or don't delete the unused defaults. (which are again quite bad, imho)
The average newbie likes to go on his installation just by clicking ok on everything,
so i think what must be done is to make it so.
Caldera has an installation that makes it easy for users to click "ok" all the way through.
Another thing is,
newbies of one area are not newbies in another.
Some newbies need to set their partitions, but have no idea what i daemon is.
Some others don't know what partitions are but know what packages they want.
There must be a way for newbies to "skip" only some choices, not all.
Lastly,
i think it is a bad bad bad idea not to explain root to users,
or make their computer some non-multiuser version.
this makes security worse. think win98.
Users should understand multiuser enviroments,
this is how linux works, and this is how it should work.
---
The day Microsoft makes something that doesn't suck,
Loathing dselect (Score:2)
That said, using the debian core functionality would be an excellent way to implement this. Start off with basic install, use apt to get what you need to start off and no more, and most importantly have apt periodically update packages from dists/stable. Security flaws will "fix themselves" (or at least be fixed seamlessly and without needing too much user intervention) as Debian maintainers get around to patching and updating the relevant packages.
Maybe the underlying distribution doesn't have to be debian, but Debian is well suited to this kind of automation.
--
Re:Install less, and use firewalls (Score:3)
(2) This doesn't seem like such a great idea. If all the services are set up correctly, there's no need to firewall the PPP device. If there's no telnetd running, a script kiddie can't telnet into your box. Rejecting incoming TCP connections would have nasty side-effects such as messing up IRC DCC transfers and ICQ messaging.
(3) Definitely. New users should not be encouraged to set up an ftp/http/irc/telnet server during their initial install. They should get the OS running first, then worry about setting up services.
For all the wrong reasons. (Score:2)
What this article proposes is nothing less than the dumbing down of Linux. And his motivation?
"We have to do it so all the drooling idiots will never have to think for themselves or learn about their computers!"
The drooling idiots can keep their Windoze and MacOS, for all I care. I'm a Linux elitist and proud of it. I'm sick of the M$ myth that computers are easy to use. Computers are not always easy to use, and damnit people deserve to be honestly told that when they get into Linux. They need to be sat down and told: "Look, you're graduating off your training wheels now. There are fewer safeguards in your new OS. UNIX (and Linux, of course) have a philosophy called "leave enough rope", which means they give you the power to hang yourself by the neck if you ask for it. Don't think this is going to be easy. You have been granted great power and flexibility, but with it comes complexity."
This will undoubtedly scare away some novices or lazy people, or people who just aren't interested in their computers except as a means to an end. This is all well and good and as it should be. M$ OSen are out there for people WHO DON'T WANT TO THINK. And personally, I'm not so worshipful of the Cult of Linux that I feel the need to turn everyone into a Linux junkie. Let there be diversity and many OSes. Let those who would willingly walk into the Gates of hell take their damnation in the form of bluescreens and Back Orifice [bo2k.com]. You asked for it, you got it! No pity for the masses. [amnin.com]
Now, none of this is to say that shipping distros with better "out of the box" security is a bad thing. Precisely the opposite, in fact. Let's get real here, folks. Out of the new users coming into Linux now, the "second wave", (i.e., the typical users), how many of them will actually need a real mailer daemon running on their box?
So does it make sense to ship with sendmail or POP/IMAP (both notorious security holes) enabled and running by default? I don't think so. Similiarly with webservers. If a user wants these daemons, they should set them up themselves.
Yes, I can hear you saying "but those things are hard to set up!" Well, I have two replies for that. The first is: Yeah, damn right those things are hard to set up. There's a reason for that. It's so fools with incomplete understanding who don't want to take the time to enlighten themselves, don't mess with them. The other reply is: Yeah, damn right those things are hard to set up - and shouldn't we the open source community be doing something to fix that?
I agree with main point of this article, which is that distros need to ship with tighter security. But I think the author is advocating better security for all the wrong reasons.
-Ben
Re: Securing Linux (Score:1)
http://www.ecst.csuchico.edu/~dranch/LINUX/Trin
I'll say people don't have time to secure their OS. At 8pt Font, and 0.5" margins, the above is 164 pages ! How many Linux newbies are going to spend the time to read and secure their box?!
The 'secure' option should complement the install. i.e. Secure Workstation, Secure Server
Re:not necessarily a good idea (Score:1)
Can you go to a school and go up to any windows/mac user, and expect them to even know what a daemon is, never mind what a port is, or even what an ip is? No, sadly, you can't.
The 'average' user will have no idea what these little programs are that are running that magically give others the power to '0wn' their box.
The fact is, people will install linux, get screwed over by script kiddies, and blame linux.
Re: Package **Nightmares** (Score:2)
Most of the installation was pretty straightfoward...I knew my hardware specs and wasn't really phased by all the partitioning. However, the package installer was a **nightmare**. There was an absolutely humongous list of packages with undecipherable names that all had intricate dependencies on each other. "What is prl3.405.1? And why do I need it for tk103.4? What the hell is asdf4.21...and why does qwerty1.2.3 want it?" Since no clue was really given as to WHAT these things were, I was forced (after several attempts at a minimalistic install) to install a humongous amount of crap @350 MB.
Now I used to be a DOS dork with a stupid 386. I knew every in and out of my system, and spent a lot of time tweaking. I liked to be able to understand and control everything. But the sheer amount of stuff I was required to install under Linux made this a bit daunting, and less than enjoyable. Sometimes there is such a thing as TOO much choice
I would really, *really* like to switch to SOMETHING other than Windows. BeOS looks pretty nice too...I sort of like the idea of a clean start. If I do permanently switch to Linux it will probably be Debian, because I've heard their package handling is rather stringent. I'd also like GNOME and KDE to mature a bit, and see XFree86 get some of the performance enhancements in.
Our experience with LinuxPPC Lite (Score:5)
First, it was hard to install. I actually can't remember why at this point, but it rarely seemed to work.
It was hard to figure out what needed to be in, and what people would want, and still give it a small footprint. The final cut was a 104 MB distro that could be installed into as little as 30 or 50 MB. But really, you can do that with R4 anyway. I installed from an R4 CD onto a Zip disk. I had Apache running, but no X. It was slow, but it worked!
Then there was LinuxPPC Live, which was an all-in-one distro similar to the recently announced "DemoLinux". Live consisted of a big fat ramdisk.image.gz file and a bigger, fatter live.filesystem file.
Now, the problem with Live was that to make it small enough to fit on demo CD-ROMs and Zip disks, we had to (again) do a lot of cutting, which made it semi-useless. You could set up a PPP dialup with netcfg (kppp was a buggy pile of junk at the time, and of no use). But, if you booted it off a CD, it took forever to boot, and it couldn't save any settings.
Linux on PowerPC still has to contend with users who have HFS Extended formatted drives. HFS Extended, or HFS+, is a more efficient disk format than Apple's original HFS, the Heirarchical File System. (Anyone else remember MFS?) Most Macs now ship with HFS+ formatted HDs, and Linux can't boot from a live filesystem on an HFS+ disk.
Live worked better than Lite, but only slightly. I never had problems with it (that is, it booted, it ran), but it just wasn't usable for much.
The good news is that doing Live provided a lot of solid R&D ground for us to do our current release's installer on. LinuxPPC 1999 (and the new Q3) can boot right from the CD-ROM, into Linux, into X, and into the installer. And it's all under the GPL. C'mon, Caldera! You made such a big deal about releasing Lizard under a semi-open license.. let's see you go all the way.
Live as a standalone distribution isn't a totally dead concept, though. It's got a lot of merit, and it's served nicely as a proof of concept for the live filesystem. It's not perfect, definately not ideal for power users, but it's a good way to get people into Linux with a minimum of fuss.
Exactly! (Score:1)
My parents eyes glaze over when I talk about computers to them, but I know both of them are smart enough to read a few paragraphs that an installation program SHOULD have in order to understand, for the most part, what they're doing.
Also, they know that they'd be better off in the long run to do a little reading so they have an idea 'what's going on' with the computer later on.
The more information that the newbie can learn/understand, the better off we all are.
Re: RunLevel (Score:1)
Couldn't this be fixed with RunLevels? Couldn't you just set up the box to boot into X under a certain user?
Re:Security 101... Not offered on campus. (Score:1)
This isn't a perfect solution, of course, but it does mean that most of the exploits in common use won't work against most machines in Cambridge. There is also a site-wide firewall that is used to block some services that are regularly abused.
Re:Nice plan but wil it work? (Score:1)
The phrase that I hate is: "And now, faithful readers, I shall commit the ultimate heresy. Windows NT is way out in front of Linux in dealing with this problem--at least in theory".
Just how much netbios traffic does one get due to silly windoze lusers enabling netbeui/netbios and/or IPX/SPX traffic over their dialup connections?
That alone is reason why linux is inherently "better" - at least some distributions come with an
NT is not hard to spot remotely, and not exactly hard either to crash or crack. nmap & search engines on "+NT +exploit"...
As far as linux Lite goes, folks here are right - who on earth would buy a "Lite" edition?
Re:Security 101... Not offered on campus. (Score:1)
That'll keep most of the losers out. Remember that programs like sendmail and sshd, which are generally run as a daemon, and not from inetd.conf do not have the protection offered by hosts.deny. Well, there are man pages for both, so read up.
Mike
Re:Security 101... Not offered on campus. (Score:1)
Suppose you're at some campus... M$U, for example. Their NT boxen-farm gets hacked as a waypoint for some script-kiddie, so that they'll be that much harder to trace. Of course he wipes the logs. The problem? He jumps through a Linux box on campus to get to the NT boxen. A Linux box owned by a well-respected (and technically proficient) RA, who missed one security upgrade, because he was out of town for a week. The script-kiddie subscribes to bugtraq, too. The script-kiddie punches in, and eventualy brings the wrath of a foreign nation's intel service down on the college. Apparently the script-kiddie knows his shit, and isn't so "1am3" after all.
What's lame is that the RA gets kicked off campus, ethernet revoked, and a big black mark on his record (remember he was out of town for the week... in the middle of the woods with no internet connection, too).
The Luddites on campus get their own security shamans to close all ports numbered higher than 100 or so. Close. Shut Down. SSH, Telnet, and web access, and that's it. No online gaming anymore, no ICQ anymore, no IRC anymore. Firewalls were discussed, and dismissed as "too difficult to implement."
How did the Linux box get broken into? A backdoor having nothing to do with the higher ports. How did the NT box get broken into? Script-kiddie tools very commonly available... I had heard it was BackOrifice.
(I'm sorry, it would have been BackOrifice... if this weren't a totally hypothetical case).
The short of it is:
What do you do when your network is run by folks who cut off their arm when they get a papercut on their shin?
Since protesting doesn't work, how can I get full access back without hacking?
Why does such a "big name" school not have "halfway intelligent" sysadmins who can make "well thought out" decisions?
The answer? I'm up a creek until someone comes up with a better way to secure a network, and makes it easy to maintain. Even though most sysadmins are brilliant techies, there are many who are morons. Good security needs to let 99% of the well-meaining morons defend against 99% of the evil geniuses.
Sigh... sorry about the rant.
-jurph
Re:Security 101... Not offered on campus. (Score:1)
We have an interesting arrangement in the University as far as computing is concerned. The Computing Service provides central services (the city-wide network, a central mail store and switches, a central Unix service, printroom facilities, archive services, etc.), but the various Colleges and Departments (and the University administration) are all responsible for their own systems. It has the potential to get very confusing, but in practice seems to work very well.
Re:Security 101... Not offered on campus. (Score:1)
Jeff
Re:New Disrto Is Needed (Score:1)
That is SUCH a good idea! Choose your packages and then be shown a virtual du of your potential directory tree. Then you could make intelligent decisions about how to partition.
Are you distro makers listening?
Re:Security 101... Not offered on campus. (Score:1)
Jon
This is Bastille Linux (Score:1)
http://www.bastille-linux.org/
How's this? (Score:2)
Re:No Root? (Score:1)
Sure, and then they discover the data on the floppy somehow became corrupted. Or Sis had to use a floppy for her school project so she formatted it and walked off with it...
It's not like without this stored password the root account is forever unavailable. I have a strong tendancy to forget my root password since I use the account so seldom. I therefore know how insecure any machine is when you actually have physical access to it. But having said that, this solution has a few big flaws.
holes by default? (Score:1)
IIRC inetd is turned on by default on Redhat. The newbie thinks "Great, Internet, I need that". /etc/hosts.allow and /etc/hosts.deny are empty and /etc/inetd.conf has turned on ftp and pop by default.
Trouble is that
I mean, what's the use of all those security updates and fixes if the worst holes are provided as an installation default? And with services like dynIP [dynip.com] the problem even gets much worse. In its current form Linux is pure dynamite in the hands of people that have no idea of how to smell the fuse.
The author's proposal of having server and workstation editions will at least work for the sensible portion of new users. The rest will have to learn by error, I am afraid.
Security 101... Not offered on campus. (Score:5)
Opening your machine for the first time made you nervous, but after all, you have "ethernet" now, so you can't possibly go wrong. Magicly enough, Windows properly finds your new 3C509 and sets it up. You begin playing around with the network settings based on the little numbers you find on your dorm network setup paper. After a reboot, you fly into Netscape and get lost in the web, watching things come at you with blinding speed. But you want more.
You meet this scruffy, withdrawn student down the hall. You know he's the resident computer guru, so you ask him what else you can do to have fun on the internet. He gives you a long hard look, not sure just how bright you are. Unknown to you, he has been evaluating your intellegence since day one, along with the rest of the incoming freshman. He sighs when he realizes you are the least annoying person in your pack. "Linux," he says. You turn to him with a quizical look on your face. He points you to linux.org and tells you to look around. You jump to it.
Around 2 AM, your Debian install is complete. You had another hard drive lying around from when you had your machine upgraded, and an engineering major installed it and made it go. You choose debian because of the FTP install. You wanted everything to work without waiting, too impatient. Once it's set up, you leave your machine on as you go to bed. You logged out, and felt important doing so.
The morning brings around the first day of classes. You give your friends your 'New' email address and brag about being able to get your own email without having to use the Campus system. You don't know or care how sendmail works. You know, however that it works, and that pine is rather nifty.
As you walk in at night, exhausted from a full day of work and play, you hear your hard drive going a mile a second. You walk over to log in, and find your password changed. You're completely lost and have no idea what to do. You yank the magic cable out of the wall and turn off the machine. You remember that you can still boot to Windows, so you do. Ahh, safe, you sigh.
A week later, the scruffy geek comes back to your room with your hard drive. He had taken it, at your request, to find out what had happened. He snorted, and asked you what business did you have running NCSA HTTPD. You shrugged. He looks over at the wall. He looks confused and exasperated. Unbenounsed to you, he's having a chicken and egg argument with himself. "He needs to learn before he can use this stuff. However, he can't learn without using Linux."
He turns back to you. "Ok, I'll secure this system for you. However, this is a one time deal. I'll answer your questins, in brief, but I will not do anymore for you. Do you understand?" You nod. He returns your harddrive the next day. You're happy as a clam that everything, as far as you can tell, is just as you left it. What did he do? You let it escape your mind as you look at this neat thing called IRC.
Two weeks later, your hard drive is wiped. Unknown to you, another daemon, this time sendmail, had a Cert advisory posted, and you pissed someone off on IRC. The wrong person.
I hope you enjoied that little tidbit. This happens way too often. However, in reality, people's college boxes just become hideouts for script kiddies. I believe a condenced Linux Workstation would be extreamly useful. I wish I had one when I started. I, instead, was baptized by fire.
Mike
Assumptions, and a little humor. (Score:3)
There are two assumptions being made here that I am not sure are universally held.
First, that "we" collectively want people who refuse to read documentation running Linux.
Second, that "we" are striving for universal use of Linux.
These are contrary to the things that drew me to Linux in the first place. I started using Linux (and reading /. and hanging out at #linux) because every illiterate monkey who considers himself a "computer expert" doesn't. The OS sucks less, and so does the community. Now there is this big push to get "every computer" running Linux. World dominance is a Microsoft value, not an open source value.
I am not against making Linux (and associated software) easier to use, I am absolutely for it, but I am for making these things easier as one element of making them better. I am against making it easier to use at the expense of quality. I think that we need to be ever vigilant in this regard.
"Is ease of use more important than quality?""No. Quicker, easier, more seductive"
"But how will I know good ease of use improvements from the bad?"
You will know when your goal is making software better, not driving it on to every processor in the world.
My $.02
-Peter
The road to mainstream (Score:1)
As much as we would all like everyone to RTFM, it will never happen. The "average" home computer user never will read the manual. He/She just wants to get on thier computer and have it work. They care about the *apps*, i.e. the browser, word processor, spreedsheet, etc. not the underlying OS.
I know there have been times that I have installed RedHat or Slackware and really wanted the *easy* install option. Just press a button and go. It takes a while to configure and secure a box.
When I first started messing around with Linux I didn't have to worry about security because I wasn't wired 24/7, and had to share a line with roommates. I had time to learn the systems ins and outs *then* not until the past few years have I had to start securing my box.
You have to put yourself in their shoes. They want to use this wonderfull OS but first they gotta catch up on months/years of knowledge otherwise a bunch of script kiddies are going to take over my machine!! Not going to attract many people that way.
Give them Linux Lite, let them learn by exploring, then they can start expanding their system and grow with it.
ok enough ranbling... please excuse the spelling errors, it a Monday!!
ssh by default? (Score:1)
"Why don't distros install ssh by default ?"
Largely because "certain" countries don't want it that way, hence make it illegal to "export" reasonable crypto-enabled apps.Most distros attempt to appease these "certain" countries so they can be distributed from there, so they suck up by removing anything with reasonable crpyto. You want secure computing to be the norm? ... Write your legislator regularly to get ridiculous legislation changed.
Re:Wonderful Idea (Score:1)
MODERATE THIS UP! (Score:1)
Where are my moderator points when I need them? :) This post truly needs to be a 5 minimum.
However, this isn't solely a "me too" post, since I disagree with one point the AC made. An MTA is needed for most installations. Not only is it needed for outbound mail, but fetchmail sends to "localhost" by default.
Hint: there is a reason RTFM became a cliche in the *nix world. People unwilling to learn shoudn't be on a powerful OS, they should remain in their various sandboxen.
Re:Not anything new. (Score:1)
I know more than one person who felt that they
wanted to install _everything_ on their workstation machine, so they wouldn't have a problem loading it on later if they wanted it later.
One person actually started digging around researching how to get into the DNS with his spiffy new named. Not because he needed it, but because the "everything" install included it, and he assumed, in his newbieness, that he needed to use it.
I'm somewhat tempted to do the same thing, but I don't. For example, if I installed a server machine without a news server, and later decided I wanted to make it a news server, you no longer have that slick GUI to load it in for you, you have to rpm and stuff. It's natural, under those circumstances, to be tempted to load in the news server just in case you might want it later.
A matter of choice (Score:2)
Not a Linux problem: a distrobution problem (Score:1)
This is not uniquely a Linux problem. Solaris, Irix, FreeBSD, etc come with a million services enabled by default. OpenBSD has it right--disable *everything*, and then turn things on specifically. The people who don't know what httpd and bind are don't need to run them. It's a simple as that. The people who do know what they are know not only if they need them, but how to turn them on or off.
RedHat has a good start but it could be taken further--the installation does ask for a server or workstation setup. What it should do is make you specify "server" as part of the Expert setup--a parameter you pass to it when you begin the installation.
The author raises a very important point--as "the masses" are becoming more and more interested in Linux, and it is becoming increasingly less rare for people to be using it, it behooves the distributors to create distributions that are secure by default. In fact, I can think of no reason not to create secure distributions under any circumstances. Especially with the newer, graphical control panel-type administration tools, where turning services on and off (like sendmail and http) is becoming point-and-drool easy.
Is there any reason to have login, exec, rsh, wall, httpd, finger, and bind on the average workstation, even one connected to a network? Not really. Probably not at all; in these days of NIS and NFS, many services need only run on one centralized server.
darren
Re:The installation program I'd like to see (Score:1)
Re:Yes! (Score:2)
Re:For all the wrong reasons. (Score:1)
There is no such category for the home user. You simply must be the wise guru person, or you should be running Be or something instead. The consequence of letting people water down the OS alarm me.
Re:For all the wrong reasons. (Score:1)
Besides, Linux folks are very nice and helpful when newbies like me have a question. There's lots of support out there...nothing's all that difficult.
miyax
Re:not necessarily a good idea (Score:1)
A single-user workstation needs to, by default, let that user do most workstation tasks, just about anything except deleting the kernel or unmounting the swap partition.
Re: Red Hat Lite (Score:2)
Umm how bout Distribution Desktop
or maby Distribution User Edition.
(replace Distribution with your favorite distribution of course.. as in RedHat User Edition.)
Linux and the PC Assumption (Score:1)
The trouble with the LinuxLite suggestion is that it violates the architectural intent of Un*x, which is meant to be a networking, multi-user OS and is designed on those assumptions.
People have already noted all of the problems with lacking a root password, etc. These are reflective of an underlying problem -- we are asking Un*x to do something it was never designed to do. Microsoft tried to take a 16-bit, single-user, single-tasking system and make it into a 32-bit, multi-user, multi-tasking OS -- and wasn't the result just grand?
If you want a solid, nice-looking, single-user OS with GNU tools and good security, try MacOS or BeOS. I run Linux by preference, but I use Be and recommend it to inexperienced users who won't abandon their old x86 hardware :). Each system has its place.
--
A Question of Motive (Score:1)
This LinuxLite is Yet Another Option, and Linux has ALWAYS been about options, so don't yell that a trimmed version is evil, or foolish, or that people should all RTFM.
Mainly, because yelling won't make them.
His point is good and valid, and if following will bring us more linux users, then lets do it. The whole point is MORE. The evolution of the system is driven by numbers, and an uneducated linux user can only become one thing: a more educated linux user. But first, we have to get them on the system, and we have to get their resources to support the system.
And there does need to be a LinuxLite ONLY Cd, because we want them to play with it, but we don't want them to hurt themselves, and we dont want to scare them (so no "Experienced users ONLY" options).
If Linux is a tank, think of Linux Lite as the Poeple's Car (the Volkswagon). It is built around the same ideas, but is simple enough to be understood JUST by taking it apart, and is straightforward enough, that a newbie can put it back together.
-Crutcher
Re:debian (Score:1)
Re:You've just described Linux Mandrake... (Score:2)
Additionally, it just uses RPM's upgrade facility. It would be very nice to have a global configuration mechanism so that one could configure a new package at install/upgrade time (or at least select from multiple pre-written configurations). There are already some efforts on global X-based configuration programs (dotfile I think might be one such effort), but it hasn't quite made its way into a large enough chunk of packages (it might not be flexible/powerful enough for large apps that have complex configuration systems, such as sendmail or Apache).
Re:not necessarily a good idea (Score:1)
Keep in mind that for most people, computers are tools, not toys. And why shouldn't software be dummy-proof just like other tools? Imagine if everytime you bought a new toaster or a new television you had to read a long manual, and then spend an hour or two setting it up, and then weeks or months learning how to use it!!
Think about it. How many people do you know who say things like "I'd use computers more often, but I can't figure out how to boot the internet" or "I'll start using computers when the become easy to use". We need to start making software intuitive for the computer-illiterate!!
Re:You've just described Linux Mandrake... (Score:1)
One thing that might help... (Score:1)
The thing that I'd really like to see is some sort of automated security updates. What this would entail is a demon that hits the distribution's web site (using secure channels and authentication) to see if there are any "emergency" updates to packages. If there are, the system can go ahead and automatically upgrade, or prompt the user to upgrade, or whatnot. The user would, obviously, choose at setup time whether the demon runs, and whether they will accept the automatic upgrades.
I know Mandrake has an update system that is invoked manually (I haven't tried it yet). A bit of an extension to the system could let you do these emergency security updates. Of course, sometimes upgrading a package is not fool-proof...
With DSL and cable modems, I think more people are going to end up running not just workstations, but also servers. I don't consider myself a sysadmin by any stretch, but when I get my cable modem, I do plan on having a PC on the net 24x7 to act as a personal web server, maybe an FTP server, perhaps a MUD, etc. While I know enough not to run demons I won't be using, I also don't want to live in fear that a security hole will be found and a script kiddie with exploit it on my system when I've got my back turned (say, when I'm on vacation). An automatic update system would be helpful.
Also, a security evaluation system would be handy, to determine if you have screwed up. The distros could encourage people to run these sorts of things on their PC's after they have set them up, to catch any of the obvious mistakes.
I submitted this as a RedHat bug (Score:2)
I submitted a suggestion like this as a RedHat bug (ID 134 [redhat.com]) awhile ago. The response was not exactly overwhelming.
The RedHat workstation/server difference is helpful, but not enough. We need an option to install the RPMs but not start the services. And I think *all* listening ports (except maybe telnet) should be off by default.
Re:Yes! (Score:2)
Suggestion (Score:2)
Re:Yes! (Score:2)
Re:not necessarily a good idea (Score:2)
Making things simple to use is great. And having a good, clean, secure base setup is extremely important.
But the computer *is* a tool. And you have to know how to use any tool or you can't use it effectively. That's the flip side of this dumbing down business -- it discourages users from ever learning to use their computer effectively. This idea that you can have a powerful tool without risk is ridiculous. That users expect this is a mistake on their part. That system designers who should know better cater to this mistake is idiotic and shortsighted. You expect this sort of thing with comercial OS's, but OSS is supposed to be able to take the longer view.
Re:not necessarily a good idea (Score:2)
Video = N64 (most people can get it to work, but they don't know how or why it does what it does)
Private Aircraft = Linux PC (anyone can be taught to fly one, but they may need constant supervision, and they're pretty likely to crash it)
Society doesn't always handle tech well (the idea that everyone should be encouraged to operate 100kph 1000kg machinery in populated areas is just craziness, and it's a tribute to human ingenuity that we've made it as safe as it is to drive a Car)
Today's attitude to computers (Uh, I deleted it, how do I get it back?) is just a less extreme example of this in action, and I think it's pretty sad to Dumb Down Computers just to let people be more lazy...
That said, I support the idea that Out-of-box Linux should not be set up as a fully-daemonized Unix if it's intended for desktop users, if you really NEED an SMTP server you can read the paragraph which tells you how to activate the damn thing.
Nick.
Re:not necessarily a good idea (Score:2)
---
If they can't be bothered to learn about the software they want to use, we don't need them.
This is *not* the attitude to take. If we continue to cater only to the technically savvy, Linux will remain a niche operating system used only by the technically savvy. Its growth will slow, and fewer people will be interested in learning to use it.
The current trend for computers and operating systems is for intelligent, autonomous simplicity. Some people call it "dumbing the PC down", others call it "creating an intuitive user interface." The types of people that need these interfaces are going to be the types of people that have the hardest time manually editing configuration files and "learning" an operating system's internals. These are the consumers. These are the people that make up the vast, vast majority of the operating system market, and if these people are unable to make use of an operating system that is unable to present configuration options in an intelligent, simple way, that operating system will lose market share and remain in a niche market forever.
not necessarily a good idea (Score:2)
It seems that way too many things are 'dumbed' down or over-simplified for the 'average' user - it makes me sick.
Another distro? (Score:2)
Supurb idea, and an absolutly needed before Linux can be for the average folk.
debian (Score:2)
Security... (Score:2)
All computer users need to be made more aware of security issues, including those running Windows. I have a friend with a cable modem, and just for fun one day he decided to see how many Windows shares were available to him on his network. He was able to get, among other things, someone's tax return because of a share that user left open.
Ouch.
Install less, and use firewalls (Score:4)
(1) There's no need for entirely separate distributions: a radiobutton selection in the install dialog about whether you want the default desktop edition or something fancy would do.
(2) Firewalling the PPP device by default would help. A *lot*. Just bar incoming TCP connections and most other stuff and a lot of script kiddies get shown the door.
(3) The biggest helper would be if these distributions installed fewer packages! I've installed Debian umpteen times, and I've grown to loathe dselect. The best thing would be for distributions to install a minimum set of recommended packages at install time, enough to get online and browse the Web and read mail and news, and then let them get used to it. Another day, they can learn about making Web servers available and suchlike: a simple, secure base would be an excellent place to start.
--
Re:No Root? (Score:2)
Just a few things... (Score:2)
The users do need to know that there is a root account, and know the password. They need to be educated at least to the extent not to stay logged in as root. Many NT users have been able to grasp this; Linux users should, too. And as someone already pointed out, otherwise there will be known default root passwords, which is a Bad Thing, Man (tm).
In reality, all distributions should come with the default configurations a bit more secure. Maybe not to the level of extreme paranoia, but to a reasonable degree. Let's be honest, we sysadmins aren't perfect (although we want our users to think so). It's possible that we could forget to configure something when installing a new system, or erroneously assume that some option is already set in a secure manner when in fact it's not.
This will have another, non-technical effect. Once the mainstream media picks up on such a distribution or effort, that's going to entice more users (and corporate managers) to consider it a viable desktop option. I'm all for users learning more about what they're doing, but I've met too many customers who asked me, "What's 'double-click' mean?" to believe that this could ever happen.
Not anything new. (Score:3)
The author seems a bit systems-administration-naive to think that you'd have to design a special distribution just for this.
Bruce
You've just described Linux Mandrake... (Score:2)
Mandrake has the main install categories (server, workstation and custom), but not the subcategories.
The package categories are almost like it.
And it has Mandrake-update: You start it, it fetches the list of mirrors of the FTP site, let's you select one, then fetches the list of RPMs to update, you select the ones to get, it downloads and installs them, and you're set.
Now, they're preparing the next incarnation, we can suggest this to them, it shouldn't be hard to implement.
"Now you can see that evil will triumph, because good is dumb!"
Maybe an answer! (Score:4)
should a system come out of the box running
httpd, ftp, or whatever?
The OTHER problem that stops us from
world domination is the GUI! X can be
impossible to get working - especially
on newer hardware(My EOne for example)
A couple of days ago there was an announcement
here of yet another distro that takes care
of one issue: http://www.demolinux.org
This distro runs exclusively off of a CDROM -
you can take linux to any machine! One of the
tricks they pulled that got it to run on my
EOne that neither the latest RH, Mandrake, or
Suse could do was bring up X! They used the
new Frame Buffer server. It isn't accelerated
but it works GREAT! So if the demolinux
people were to go a step further and tighten
up their system to not have a large number
of separate demons running - we might be
pretty close to what the author was asking
for! (Actually haven't looked at what
demons they HAVE enabled on this distro -maybe
it's already there?)
Steve
Re:Wonderful Idea (Score:2)
Most distributions should be geared specifically toward a specific usage profile -- very few distributions should be the "general purpose" setup for tweaking by experts. From a business standpoint, give the consumers a tool they can use easily -- turn-key solutions are what seem to be wanted by the general public (as opposed to the subset of people who like to tinker around with their systems).
Linux well done, not "lite" (Score:5)
While I understand they do it to attract Windows users it is becoming a very dangerous game. The solution is not going even further the Windows way, as the article suggests. The only real solution is that the distributions stop focusing on copying Windows styles, looks, feels, sounds, etc. and start focusing on these points:
- Good comprehensive documentation, including overviews and guides to the software they distribute. Besides all generic documentation which comes with a package there is a need for each distribution to explain what is included and why, how the packages included will help the user, and which packages should a user install to accomplish what she needs.
- An installation system which educates the user at the same time it installs the packages. It should guide users so that they choose the installation which best fits their needs, avoiding the current install everything approach.
- A good admintool which takes care of all the tedious system administration tasks in an unobtrusive way. It should perform all necessary security checks and monitor the system periodically.
Of course, these are the ultimate goals and it would take time to reach them. However, while some distros are at least partially working on similar projects, most are not. If new Linux boxes are insecure it is the distros fault. No doubt about it.Re: Red Hat Lite (Score:2)
My Dinner With NT (Score:2)
I started my time with Win 3.1, and tweaked that to death, then moved on to Win95 and played with that for a time. Up until this time, I had been your typical user, unwilling to dig too much further.
My experience with NT over the years has taught me some valuable lessons.
* I have a user account on my machine instead of logging in as the Admin. I've set up the desktop and start menu on the Admin account with items aimed at administration [doh].
* I set whatever services I may run to manual, so that I use them only when needed.
* The C: partition is for the OS and programs only. All data is on the D: or subsequent drives.
I'll be damned if that isn't the successful recipe for a Linux box as well.
I'd have to say the first few chapters of the Red Hat manual were invaluable, and ought to be required reading. It isn't that difficult. And if you're not careful, you just might learn something.
Don't Fool yourself (Score:2)
However, as soon as you dial up your ISP, not to mention connect a cablemodem, you would be well advised to be concerned with security.
Even if you have nothing but valueless games on your personal computer, a malicious cracker can still make use of it as a depot for warez and pornography, and they can also use your computer as a launching pad for attacks on other systems. Some people will try and damage your computer simply because you live in (insert your country here).
How would you like it if your computer was seized by the feds for evidence because a malicious person used it for illegal purposes?
Everyone who is part of an worldwide electronic community should be aware of security (and privacy) issues. You don't have to be a security expert, but you should at least go in with a cautious attitude. In the end, you are responsible for yourself.
Well there is SOME good thinking here (Score:2)
sorry about any errors,
rob
Redhat installation. (Score:2)
What would really be appropriate is if distributions could package in ssh, but then we run into export problems - i assume, only because I know redhat doesn't come with ssh - but maybe that's the ssh people being uncooperative. But really, does a home user even need telnet?
Joseph Elwell.