| 1 |
On Mon, Mar 23, 2015 at 5:46 AM, Peter Humphrey <peter@××××××××××××.uk> wrote: |
| 2 |
> |
| 3 |
> The remaining question is: why is the user not allowed to halt it? |
| 4 |
> |
| 5 |
|
| 6 |
Keep in mind there are many ways that a unix-like OS can be used. It |
| 7 |
could be running on a laptop, or it could be running on a multi-user |
| 8 |
system where 50 people are logged in at any given time. In the former |
| 9 |
case you want a desktop-like experience where the user can just hit |
| 10 |
the shutdown button, and in the latter case you don't want users |
| 11 |
powering off the server which might be 4 states away. |
| 12 |
|
| 13 |
The old solution to this was just having the system owner run sudo |
| 14 |
poweroff. Then desktop environments came up with a way to allow a |
| 15 |
logged in user to send a command back to the display manager (which |
| 16 |
runs as root) to tell it to shut down the system, and made whether |
| 17 |
that is allowed configurable. The most recent evolution of this is |
| 18 |
consolekit/logind, which distinguishes users logged in at the system |
| 19 |
console from those logged in remotely and grants the authority to |
| 20 |
shutdown the system if you're local. This approach also does things |
| 21 |
like assign permissions to audio devices as well, so that only the |
| 22 |
person sitting at the console can spy on the console using the |
| 23 |
microphone and you don't need to control this manually using an audio |
| 24 |
group. |
| 25 |
|
| 26 |
The other trend is for unprivileged processes access privileged |
| 27 |
functions via dbus, controlled by polkit. This allows granular |
| 28 |
control over what users/groups/etc can run what functions, potentially |
| 29 |
based on whether they're at a local console or not. You can even |
| 30 |
control that particular functions require a root password or for the |
| 31 |
user to re-enter their password. This puts all the policy rules in |
| 32 |
/etc and reduces the amount of per-application configuration. It is a |
| 33 |
bit like sudoers, but with more fine-grained control and without |
| 34 |
getting into hard-coding command lines (which can be a bit clumsy). |
| 35 |
The traditional downside to this approach has been the need to run |
| 36 |
dbus, but this is moving into the kernel and the intent is to |
| 37 |
encourage processes to utilize it as the main IPC mechanism. |
| 38 |
|
| 39 |
The end goal is to try to get reasonable default behavior without |
| 40 |
requiring either desktop or server administrators to have to do much, |
| 41 |
or to have to designate a distro as being primarily desktop vs server |
| 42 |
in nature. On a server nobody is logged in via the console, so you |
| 43 |
get restricted privileges by default. On a desktop the main user is |
| 44 |
logged in via the console and can use their webcam+mic, but others who |
| 45 |
might be allowed to login cannot remotely connect over the network and |
| 46 |
spy on the same. However, all of this is configurable - you can stick |
| 47 |
rules in /etc which change these behaviors. |
| 48 |
|
| 49 |
-- |
| 50 |
Rich |
Archives