sudo without password
Derek Broughton
news at pointerstop.ca
Mon Jun 12 13:36:56 UTC 2006
Peter Garrett wrote:
> On Sat, 10 Jun 2006 21:52:03 -0400
> Scott Kitterman <ubuntu at kitterman.com> wrote:
>
>> > This would be the ZoneAlarm style, which Linux really lacks,
>> > unfortunately.
>> >
>> My experience with this has been that there are basically two choices:
>>
>> 1. Lock things down. The user gets frustrated and uninstalls or turns
>> off the firewall.
>>
>> 2. Ask if something needs a port opened up going out. User virtually
>> always says yes.
>>
>> Either way, unless there is a lot of user training and understanding, I
>> don't think these GUI firewalls do much good for the masses.
They don't, if they just ask if 'x' should be given access to the Internet
(and the annoying thing I found with ZoneAlarm was that it would always ask
twice - first it asks if you want to allow the program access to the LOCAL
network, second it asks if you want to allow access to the Internet. That
sort of redundancy encourages users to ignore it).
So a little analysis is in order. First, if the port is not an
IANA-assigned, or at least well known, port, make the warning clear that
the firewall program hasn't a clue what is going on and that this may lead
to serious corruption of the system if the user doesn't know either. Then,
if it is a well-known port, try to give the user a better idea of what is
actually trying to access the net. If it's a client program, that should
be enough. If it's a server, make it clear that this leaves the computer
open to attack. Heck, on an Ubuntu system, it probably isn't even that
hard to check that the server is up-to-date, and therefore has all
available security patches.
Once you've done that, some users will still say "yes" to everything.
There's really nothing we can do about those users, except give them
systems on which they can't install anything! The other users will _all_
be better off than on a system that has no firewall - they just may not be
as secure as possible. And frankly, firewall writing is still way too
difficult for ME - I want this sort of GUI (I was told when I first
installed guarddog that this sort of behaviour was intended, but I've been
using it three years, I think, and we still don't have it).
--
derek
More information about the ubuntu-users
mailing list