Mon, 05 Jun 2006
Apparently Novell did usability tests of their GNOME desktop (I think I have already read about it in the Linux Journal or somewhere). Today I have managed to browse their results: interesting work, I must say. However, there was one thing that surprised me, and I wondered whether the researchers did have any basic knowledge of how UNIX works at all:
In the "Set time and date"
test, the test subjects' task was to adjust the date and time on the local
system. One of the main problems was that they were confused when the
time setting application prompted for the root password - they incorrectly
supposed that they have to log out from the whole session and then login back
as a superuser. So far OK, I would say "fix the appearance of the
password dialog of
pam_timestamp (or whatever the responsible party is)".
However, the researchers' recommendation was: "Fix time and date settings to not require root access". WTF? This can be easily translated to "Make users log in as root by default", which is a behaviour of The Other OS, Which Should Not Be Named Here, and the behaviour which is often refered to as one of the main problems in the security of that OS. Bleeeh.
7 replies for this story:
Abraxis wrote: New times in kernel
AFAIK there is new feature in kernel allowing processes to have completely independened times. It's designed for virtualization (Xen, UML) but I can imagine it can be also usefull for this.
Yenya wrote: virtual time
Yes, I know about virtual time patches. But even then, you need a superuser access inside your domain (XEN, UML). I think we should not suggest that users run their sessions as root, even though it would be inside the virtual domain.
Adelton wrote: No need to be root ...
You say that this was a desktop usability test. I can easily imagine the host being single-user-mostly, and then it makes sense for the user logged on the console to change the time settings instead of being forced to know the root password. I mean, the user (a mother, a wife, a granddad) knows the current time, wants to tell the correct time to the computer -- why should he need to know the root password?
Yenya wrote: Re: No need to be root ...
How the computer can know that it is single-user-mostly? It would make sense to create a "single-user-mostly" config (gdm autologin, etc.), and authenticate the time adjustment with pam_console in such situation. But I think setting the time _should_ remain root-only task.
Adelton wrote: Someone will tell it
Obviously someone has to tell the computer that actions like updating time should be allowed even by nonprivileged users. That someone has to be root.
Yenya wrote: Single-user system
Yes, but such a system is probably out of scope of the general GNOME usability tests, so "Fix time and date settings to not require root access" recommendation does not apply here.
Cordelia wrote: gndBaPFilxJN
Wow! Talk about a psoitng knocking my socks off!