I don’t think I can talk about “security” people without cursing, so you might want to avert your eyes now.
I gave OpenSUSE a try, because it worked so well at install-time on the Macbook Air, but I have to say, I’ve had enough. There is no way in hell I can honestly suggest that to anybody else any more.
I first spent weeks arguing on a bugzilla that the security policy of requiring the root password for changing the timezone and adding a new wireless network was moronic and wrong.
I think the wireless network thing finally did get fixed, but the timezone never did – it still asks for the admin password.
And today Daniela calls me from school, because she can’t add the school printer without the admin password.
Whoever moron thought that it’s “good security” to require the root password for everyday things like this is mentally diseased.
So here’s a plea: if you have anything to do with security in a distro, and think that my kids (replace “my kids” with “sales people on the road” if you think your main customers are businesses) need to have the root password to access some wireless network, or to be able to print out a paper, or to change the date-and-time settings, please just kill yourself now. The world will be a better place.
.. and now I need to find a new distro that actually works on the Macbook Air.
Everything from this point on is pure opinion based on my life as a Linux and information security hobbyist and enthusiast.
Once again, 100% opinion past this point.
OK. I know I am going to hurt a few feelings here for some of you, but I do not entirely agree with Linus here, with utmost respect to everything he has done.
Let’s assume, for the sake of argument, that you get to add devices without root password. The purpose of a root password is to have a ‘master’ password to the system to perform certain tasks, that when not carried out by the owner, or the professional, can be done incorrectly, and may in some cases create a break in workflow, or an error of some sort. In this case, adding a new device, like a printer, is not much different from allowing access to another device, such as a network share on the network.
Without bringing you through a long and drawn out scenario, what we are trying to avoid here is allowing a computer on a network that likely contains TONS of sensitive data (grades, medical info, financial info, answer keys) to make connections with what could very well be rogue hardware.
What if a student brings a laptop, and connects it to the network, and briefly is able to tell a computer to bounce the network through this laptop (to circumvent content filtering) that SSH’s into an unfiltered computer remotely and wget mirrors your network share from the school server containing grades, addresses, vaccination records and SSN’s?
This is a routine procedure for the most novice hacker. It is called “Tunneling Through The Paywall” and can be accomplished in a matter of minutes.
Enabling a computer to attach to any network without a root password or keyring password makes this attack about twice as easy, as it allows you to bypass any content filtering right off the bat — A student could fire up a rogue hot-spot from an android smartphone in a backpack and create rogue AP’s effectively creating a Man In The Middle scenario, and makes every web page accessed flood the screen with midget porn.
In coonclusion, sadly, even your father is wrong once in a while, and this time Linus Torvalds, the inventor and father of the Linux Kernel, happens to be dead wrong.
Root passwords are a must, no matter how mundane and harmless the task.