When security is a bad, bad thing

>> Tuesday, October 23, 2007

Ubuntu Linux, like a good, modern operating system, tries to be idiot proof. One was in which that's implemented is to deny the user administrator rights as a matter-of-course. Another is that Ubuntu tends to default to denying permissions with new directories and drives.

Here's what that means: the administrator on a computer is the person who has universal access to everything on the system. Every directory, every file, everything. Being administrator is like being king: it's good to be king. But, if you're one of those child-kings who inherits the throne at age 4, you can end up being the patsy while a regent comes in using your name to impose all sorts of painful edicts.

No, it really is a good metaphor: the fact that older versions of Windows default the user to administrator privileges is part of the reason there are so many security exploits for Windows: pretty much every home user of Windows is an administrator, and if they download a piece of software without scanning it for viruses or malicious scripts (programs), the user runs that program as an administrator and that program takes on the same administrative privileges that the person who ran it had. The administrator has direct access to everything, remember? So the administrator who accidentally gives a virus administrative privileges gives that virus access to everything....

This is why Mac OSX, many Linux flavors, and Windows Vista don't let the user default to administrator. The user has to take extra steps to run a program that could access the meaty parts of his or her system, like the partition table or private data. In the case of Vista, you (apparently) have to click on a box every time you want to run something--word on the street is it's a lousy implementation of a necessary idea. In the case of Linux, the more typical decision is to require the user to temporarily login in as a superuser.

In a GUI (graphical user interface) like KDE, an administrative-level program will throw up a login screen before proceeding. It doesn't absolutely keep a user from doing something stupid, but it certainly red-flags the operation and creates a tripwire. From the command line, the user must preface an instruction with the prefix sudo. For instance, changing the permission on a file to make it accessible for all users might look something like:

sudo chmod a=+rw /directory name/file name

This is normally a good thing. Normally. But when you're a low-level user (like myself) trying to fix a broken system, it makes the ears bleed. It's also the kind of thing that confuses and terrifies an entry-level user, and it's part of the reason Linux isn't quite ready for primetime.

Anyway, that's me venting while waiting for files to copy. If you know more than I do--quite likely--feel free to tell me what I'm doing wrong. I've got to learn somehow.


Rick Wednesday, October 24, 2007 at 6:24:00 PM EDT  

you can run something like 'sudo su -' or 'sudo bash' to become root on the command line. Obviously, be careful, and know what directory you're in before doing something huge, but it makes it a lot easier to see the contents of some directories.

Post a Comment

Thank you for commenting! Because of the evils of spam, comments on posts that are more than ten days old will go into a moderation queue, but I do check the queue and your comment will (most likely) be posted if it isn't spam.

Another proud member of the UCF...

Another proud member of the UCF...
UCF logo ©2008 Michelle Klishis

...an international gang of...

...an international gang of...
смерть шпионам!

...Frank Gorshin-obsessed bikers.

...Frank Gorshin-obsessed bikers.
GorshOn! ©2009 Jeff Hentosz

  © Blogger template Werd by Ourblogtemplates.com 2009

Back to TOP