[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Back page page.

Linux links of the week


The Linux Cross Reference project has put together an extensive, web-based interface to the Linux kernel source code. Everything is heavily indexed, making it easy to jump from one section of the code to another. It is a useful resource for those who wish to get into how the kernel actually works.

The Linux User Groups Worldwide page has been reworked with new technology. If you are ever trying to find a Linux user group for a particular place, this is the place to look.

Section Editor: Jon Corbet


October 7, 1999

   

 

Letters to the editor


Letters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them.
 
   
From: reynolds@cs.duke.edu
Date: Wed, 6 Oct 1999 22:44:01 -0400 (EDT)
To: corbet@eklektix.com
Subject: Microsoft myths, correction/addition

Jon,

Microsoft said this:
> Linux security is all-or-nothing. Administrators cannot delegate
> administrative privileges: a user who needs any administrative
> capability must be made a full administrator, which compromises best
> security practices.

To which you (on LWN) replied thus:
> There is some truth here. The "superuser" model has a number of
> problems, and utilities like "sudo" are a sort of fragile kludge made
> necessary by this model. The Linux kernel has increasing support for
> capabilities, which provide the sort of fine-grained privileges needed,
> but support for capabilities at the user level will be a while in
> coming. Access control lists (ACLs) are also in development and in a
> testing mode.

There are irony and hypocrisy there that you (having not administered NT
in a large, distributed-administration environment, I assume) didn't pick
up on.  NT's fine-grained administration delegation isn't much better off
than Linux's!  It's well-intentioned but almost useless.  For example, a
user can be given the right to add NT machines to an NT domain, but this
right turns out to have little practical use, because users with this
right cannot remove or refresh machines in an NT domain.  (So
reinstallations, ever common in the NT world, are not a possibility
without full Domain Admin privileges.)  Another example: a user can be
given the right to add new accounts, but this right does not include
related tasks such as deleting accounts or resetting the password on
existing accounts.

To be fair, being able to remove machines from a domain or reset other
users' passwords has huge security implications if not done right: you
could replace a backup domain controller using the former privilege and
take over administrative accounts using the latter.  So I'm not saying the
solutions are easy.  But administrative privileges as they now stand in NT
aren't much better than in Unix.

And now a bit of purely anecdotal evidence: I spent a couple of summers as
an NT administrator, and for a while I was charged with the task of
creating machine- and user-administration web scripts.  This allowed a
user that the web script authenticated to add/remove/refresh machines in
the NT domain or create/delete/reset user accounts (with certain machines,
such as domain controllers, and certain accounts/groups, such as
administrators, protected).  By making it a web script, we could make it
run as the administrator but provide our own authentication and limited
functionality -- much like the much-maligned SUID feature of Unix, but
with the added nuisance of a web server.

(A footnote to that story is the nastiness that web servers run with
administrative privileges, so hacking an Active Server Page or the server
itself yields far more privilege than hacking Apache on a Linux box.  If
NT has such great fine-grained security, why does the web server run with
Administrator/Service privileges?)

There is apparently at least one (expensive) third-party product to
provide finer-grained administrative delegation.  My ex-employer didn't
buy it, though, so I'm not sure what approach it takes.  Since it is a
kludge, and not part of the core system, it hardly counts...

--Patrick

   
Date: Wed, 06 Oct 1999 16:11:20 -0400
From: Bob <general@gis.net>
To: letters@lwn.net
Subject: Linux At Home,LA Times, 9/23/99 edition LWN

    This article mentioned that Intuit gets insignificant numbers of
requests for ports of their popular Quicken program to Linux.

Why bother with Quicken for Linux when you can simply download ,at no
cost, a very nice program called CBB which seems to give all the
functionality that Quicken does for working with checking  and savings
type accounts. A very nice html style tutorial even explains the simple
act of exporting .qif files from Quicken into CBB and vice versa.

My goal is to bring my Linux setup to the point that all my needs are
filled there and then there will be no need for Windows anylonger.

Programs such as CBB make that event seem much closer on the horizon.

Bob Lee
general@gis.net



   
Date: Fri, 01 Oct 1999 10:45:55 -0700
To: letters@lwn.net
From: Seth Cohn <sethcohn@yahoo.com>
Subject: Learned opinions on GPL..
Cc: Bernd Paysan <bernd.paysan@gmx.de>, rms@gnu.org, esr@thyrsus.com

Letter to the Editor of Linux Weekly News (for publication)

Sirs,
When this 'Corel beta' turmoil arose, I emailed RMS himself
as well as 'Open Source' advocated Eric Raymond (among others), looking
for clarification on just when GPL 'kicked in'

According to _both_ of them, all of the 'hardcore' GPL advocates who
are saying 'any distribution at all is covered by GPL terms' are misguided
at least.

I asked:
     Is an internal ONLY change to a GPLed program subject to GPL
     copying and distribution requirements, source providing requirements,
     etc?

 >From: Richard Stallman <rms@gnu.org>
 >Subject: Re: GPL question...

 >If it is truly internal use, within one organization, our view is that
 >that is not distribution.

and

 >From: "Eric S. Raymond" <esr@thyrsus.com>
 >Subject: Re: Fwd: GPL question...

 >No, in my opinion.  GPL requirements trigger when you distribute binaries
 >to a third party.  There are some definitional questions about what
 >constitutes an 'internal-only' release, but the principle is clear.

Based on those answers, Bernd Paysan (lwn.net letter to editor on 10/31/99)
is wrong when he claimed:

 > This also covers "internal projects", which usually restrict rights of
 > recipients of informations by NDAs or other contracts. These contracts
 > are null and void if the information given to them is a GPL'd program -
 > or the license to use the GPL'd program terminates immediately. Note
 > that the GPL is an individual license (it talks about "the recipient"),
 > thus the program isn't licensed to a company, but to persons. Moving a
 > disk from cubicle 318 to cubicle 319 is a distribution in the terms of
 > the license, and henceforth any restriction or limitations are null and
 > void *and* cause the license to terminate.
 >
 > In other words: IMHO the current treatment of "internal projects" with
 > modified GPL'd software are based on the goodwill of the participants,
 > as nothing prevents them to redistribute the software they get under
 > GPL. More so for less internal projects like a public beta test, where
 > nobody risks getting fired.

According to both RMS and ESR, they see that 'internal' is a valid limitation
on GPL. If I choose to give my employees software which I've custom modified
for them for company use, they shouldn't be able to hand those changes out if
I request they don't.  Not honoring this will stop larger companies from using
GPL code for important sensitive projects, customizing to their particular 
needs,
or creating NDA projects (even when they intend to release them under GPL 
eventually, but want to wait till it's ready to distribute in a 'good' form).

Maybe it's time for GPL Version 2.1 which can put some definition on 
'distribution'.  Since all previous GPL licenses give you the option of 
choosing a more current
license, this would resolve the issue painlessly.  Defining 'distribution' 
and 'copying' seem to be required issues for more mainstream usage of 
GPL.  Better for
RMS and the FSF to define them than to leave it to the courts, lawyers and 
so on.

using GPLed code at work, a lot of it,
Seth Cohn
network administrator


   
Date: Thu, 30 Sep 1999 07:10:41 -0400 (EDT)
From: Kyle Sparger <ksparger@dialtoneinternet.net>
To: letters@lwn.net
Subject: Re:  Anti-Corel Article in National Post 
(http://www.lwn.net/1999/0930/backpage.phtml)

Regarding the trolling by "news" sites, I have a fairly easy-in-theory,
more-difficult-in-practice way of solving this:

Someone could run a web page with news sites that tend to run inflammatory
editorials, that "we" feel are inflammatory primarily to increase
circulation.

Make this web site "known" -- announce it's purpose, etc.

Form a "boycott" of such web pages.  Make the community at large aware of
it.  (Or at least try)

However, don't hit them where it doesn't hurt -- don't not-visit the web
sites (sorry for the double negative).  Visit them all you want.  However,
members who want to participate in this project (I imagine there would be
quite a few), would pledge to NEVER, EVER, regardless of the circumstance 
circumstances, click through on banners, or purchase from a company as a
result of those banners.

Then make the companies doing the advertising aware of the effort.

Let's assume we have 150,000 pledges visit an article on a site known to
publish inflammatory editorials -- it wouldn't suprise me if we got more
(or less), but let's assume that that's how many we get.  

If the web site makes money per-click through or if the company sells
something as a result of the advertisement, then they just served up 150k
web pages to no avail.  It was a waste of effort and resources on their
part.  Make sure they know it.  Maybe the editors will get a clue, and
start pressuring their editorial writers to write up some useful content.
Mentioning the offending authors by name might help too.

If the web site makes money per display of a banner, let the advertising
party know.  I'm sure they'll be none too happy knowing that they just
paid for 150,000 views that had absolutely no chance of making a sale.

Simply put, hit them in the bank account.  Done properly, this might just
eliminate all incentive to troll for circulation.

Kyle



 

 

 
Eklektix, Inc. Linux powered! Copyright © 1999 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds