[clug] Any Public Service organisations using Linix desktop and
paulway at mabula.net
Fri Jul 4 10:51:40 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Edward Lang wrote:
| On Thu, Jul 3, 2008 at 7:38 PM, Kim Holburn <kim.holburn at gmail.com> wrote:
|>> Software Firewall: Windows includes one. It drops packets. Define
|>> "decent" in this context; desktops don't need fancy mangling rules.
|> Would you trust your security to Microsoft?
| The reason I don't currently want a UNIX variant as desktop
| environment in the public service is that l don't want root access on
Sorry, but I'm trying to imagine the corporation or department that gives
every user root access and failing completely. I think your reasoning here is
- - to blunt - wrong. In the IT help desk, you may get a few people who have
administrator access, controlled either by sudo or other privilege restriction
features. No-one gives or expects to give administrator rights to any other
users, to their desktops or production systems.
Fedora has recently started providing Pesselus, an application to limit what
users can see of their systems. It can disable command line, save to disk,
changing the panels, and enforce locking on screen saver activation. It can
also disable access to any of the applications you can add to the panel even
if you allow users to customise their panels. And, of course, there are many
other ways to limit a user's ability to do stuff based on the regular file and
directory permissions system we have already built in to Linux.
So really locking down a Linux desktop is no different to doing the same for
Windows. You don't allow your users to have admin access, you lock down what
programs they have access to, you make sure you've turned off all the
reminders on the desktop for updated packages and so forth so they never get
bugged by that kind of stuff, you make sure the directories they need are
mostly mounted off network servers, and you do your administration remotely.
P.S. Interestingly, I stand as somewhat of a counter-example to the above,
since on Monday I started work and the first thing I did was to install Fedora
9 on my desktop machine. This was not unusual, since I am part of the service
delivery network support team and we do a lot of our work via SSH and other
command-line tools. Most of the rest of the team uses Mac Minis or Debian -
only a few run Windows (with PuTTY to do the SSH work). There is an explicit
understanding that we get no support from the infrastructure services computer
help desk for anything non-Windows related. And I fully expect, when I
finally get my Windows domain username and password, that I will have to
either run Windows (in a VMWare instance) or expect the good, indifferent or
non-existent compatibility with their network services. But I am hardly a
typical user - I broadly fit into the 'IT help desk' category I outlined
initially. And having root access on my machine is hardly a benefit to me in
their corporate network.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the linux