Comment: Linus's daughter

By Dr. Oliver Diedrich

On Google Plus, Linus Torvalds has complained bitterly about openSUSE: apparently, his daughter had to call him from school because the set-up routine for the school printer on her MacBook Air with openSUSE was asking for the root password. In his usual direct way, Torvalds writes that requiring the root password for trivial tasks such as changing the time zone, adding a new wireless network or setting up a new printer is "moronic and wrong". For people who create such configurations for security reasons, he has some advice: "Please just kill yourself now. The world will be a better place." As the complaint was made by Linus Torvalds, the posting has attracted hundreds of comments that mostly take the same stance, and a big echo has rippled through the news feeds of the world.

The problem Torvalds describes is caused by the two souls that live in Tux: On the one hand, Linux as the descendant of proud Unix servers is a true multi-user system; on the other, it is built in the tradition of PC operating systems that grant users full control of their personal computers.

Inherent in the multi-user tradition is the idea that no user may do anything that could negatively impact other system users; such actions include installing new software, deleting existing user accounts and, in fact, setting up or removing printers. In the Unix tradition, all of these tasks are reserved for the root account. PC operating systems, on the other hand, are traditionally configured for single users who may do with their computers whatever they please and who must, at most, be protected from their own carelessness.

The simple compromise between the worlds is logging into Linux as root. Then, a user may do anything – even add a space in the wrong place, as in "rm -rf / home/foo/tmp/*", and wipe the whole hard disk without further warning.

The modern variant of this approach is called sudo: The first user who is created during system installation is entered into /etc/sudoers as "ALL=(ALL) ALL". After that, this user may do everything that is restricted to root, but they only need to enter their personal password, not the root password. Ubuntu, for example, uses a dedicated admin group for this purpose; when new users are added, the admin can decide whether to grant these users "licence to sudo" (and add them to the admin group).

However, sudo doesn't solve the problem encountered by Linus Torvalds and his daughter – it still only ever differentiates between "may do everything" (with sudo) and "may do nothing" (without sudo). However, what Torvalds wants is a system that will restrict critical actions to himself but will allow his daughter to perform simple system configuration tasks such as setting up a network connection or printer. Or, to expand this discussion beyond Linus and Daniela: anything that potentially threatens system integrity can only be done by the IT department, but the task of setting up a printer can be performed by a simple user (for example by a field rep who wants to print something at the customer's office).

What's required is that any user may set up a printer, but that they mustn't be able to remove other users' configured printers; that users can load a driver for their USB sound card but are unable to crash systems by forcing them to unload crucial drivers; and that they can install programs but are unable to delete the /usr/bin/git file.

The classical Unix mechanisms – user-based and group-based access rights, POSIX capabilities – probably wouldn't make an easy job of this. But Linux has long evolved further: it offers extended file attributes, Mandatory Access Control via SELinux etc, and services such as PolicyKit. What's missing is a user model: The classical Unix multi-user model was not designed for PCs and notebooks that are generally used by a single person but have somebody else as their "basic administrator".

Even the Android model is more suitable in this respect: users may change the time zone, connect their devices to a new network, set up a network printer and even install arbitrary software – but they can't delete the kernel, installing an app doesn't affect the functionality of other apps, and messing up a Wi-Fi network configuration doesn't render the device unusable.

If Linus' daughter could do on her notebook everything that's possible on an Android device, much would already be resolved. Only Linus' root access would still need to be sorted out, of course.