l4-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Admin role (was: Re: About explicit security bypass)

From: olafBuddenhagen
Subject: Admin role (was: Re: About explicit security bypass)
Date: Fri, 4 Nov 2005 05:50:09 +0100
User-agent: Mutt/1.5.9i 
Hi,

> Errors at system install should not happen.  If they do, it is not
> unacceptable to need a reinstall to correct the problem.  Note that
> those errors, if they occur, are errors from the system developers,
> not from the administrator.

Oh, sure, the system is either perfect, or it needs to be reinstalled...
Why does that remind me of Windows?

> He doesn't need access to security-critical parts of the system.  On a
> well-designed system, it seems to be possible to let users handle
> their own data.  The system administrator cannot touch that, and he
> cannot touch parts that directly handle it (such as the hard disk
> driver).  The system installer made a choice for those components, and
> booting from a different medium is required to change that.  On
> current systems administrators need the right to boot from different
> media.  This need not be the case on the new Hurd.  They probably
> still have that right, since the administrator and installer are often
> the same person.  But their responsabilities can (and should IMO) be
> seperated.  The administrator should not have rights that he doesn't
> need for his job.

And where do you draw the line? What about updates? What about changed
requirements? What about migrating? What about custom modifications?
What about security fixes?

In practice, the administrator will *never* be completely distinct from
the one doing the installation. (I know the problems from attempting
such a seperation very well.) It would be pointless anyways, as there is
absolutely no reason to believe the one doing the installation would be
more trustworthy than the actual admin.

More generally speaking, the admin will always have the means to screw
the system if he desires to do so. Any attempt to limit his power will
only hinder him in doing his job properly, with adverse effect on
everyone involved: The admin, the users, their boss, and most notably
the system that tries to enforce such absurd policies -- who would like
to use a system that prevents proper administration?

Having a system where a skilled admin has any possibilites he desires to
intervene if something goes wrong, is the only way to go. And things
going wrong is a reality, no matter how carefully you design your
system.

-antrik-
reply via email to
[Prev in Thread] Current Thread [Next in Thread]