

Solaris 11 has the security solution Linus wants for Desktop Linux - petsos
https://blogs.oracle.com/darren/entry/solaris_11_has_the_security

======
babarock
I'm going to go on a small tangent here and ask: Solaris ... _desktop_??

I've been using Linux on the desktop for quite some time now, and couldn't be
happier. However I come to realize, after trying to "convert" a lot of people
around me, Unix isn't made for the "desktop" (understand, unfortunately,
Windows-clone).

I also use Solaris (10, not 11m but still) at work. All the time. And if Linux
isn't that great on the desktop, Solaris is a catastrophe.

I'm not being very convincing, as the points I'm mentionning would take a
whole blog post to prove. My question here is the following:

If this article is on the Oracle website, could it mean that the people at
Redwood are trying to be more agressive on the desktop market? Or are they
simply using Linus' name to attract traffic?

~~~
gaius
You know, Sun Microsystems stock ticker was SUNW... The W was for Workstation.

~~~
freehunter
Yeah, but workstation and desktop are not exactly the same. Back when SUNW
went public (1986), that distinction may not have been as defined. It makes
sense to run Unix on a workstation (workstation defined as a high performance
machine meant for a specific productivity use case). It doesn't make sense to
run it on a desktop (desktop defined as a general purpose PC your family would
use at home).

------
gvb
Debian/Ubuntu doesn't create a root login (by default) at all, so there is no
root password.

Linux already has RBAC - if you look in /etc/group, you will see a group
"lpadmin", if you are in the group, you can add/configure/delete printers
(after authenticating with your user password). To the best of my knowledge,
this is what Oracle is bragging about, and is equivalent to Microsoft's UAC
(with Win7, they finally made it as convenient as linux).

~~~
pejoculant
RBAC appears to be a bit richer of a concept than group based authentication.
In particular, role assignments can be session dependent and role assignments
can be constrained to live in a particular hierarchy. The latter is useful for
situations where you want to make it possible for a user to have role A or
role B but not both at once.

Edit: Just to add, the key thing that they appear to be bragging about is that
they use RBAC to grant the user logged into the system console the "Console
User" profile which by default has permissions to modify printers and wireless
connections. Once you have this role, you don't not need to authenticate
further.

------
Elhana
RBAC is nice in itself, but you can't really use Solaris on average desktop.
No drivers, costs money to use in production... and still no sol11 ON sources
they promised?

------
obtu
Along with many Linux distributions, because they ship PolicyKit policies
allowing some of these things by default. That said, Solaris is used on
servers and should probably default to a reduced attack surface over
convenience.

~~~
reidrac
It looks like PolicyKit is a little bit unknown, although all major
distributions have been using it for a while.

<http://www.freedesktop.org/wiki/Software/PolicyKit>

The Wikipedia page works very well as TL;DR:
<http://en.wikipedia.org/wiki/PolicyKit>

------
calloc
I ran OpenSolaris on the desktop for a little while. That experiment lasted
only about two weeks before I gave up due to various things just not working
correctly.

I wonder if things are any different with Solaris 11, or more likely I'd be
running OpenIndiana which so far has worked really well for the server work I
have it doing.

------
freehunter
So serious question, how does this significantly differ from the user account
controls in Windows? Even before the Vista/7 UAC was introduced, you could set
permissions for a user to be able to do certain things and not other certain
things. UAC increased this ability with the slider.

Obviously it sounds like Unix had more fine-grained controls earlier than
Windows did, but it still seems like Microsoft could write this same article
on behalf of Linus.

------
nwmcsween
RBAC is garbage... developers and such need to write complicated rulesets for
n solutions of RBAC systems. A less painful solution would be what FreeBSD
currently has - capsicum.

~~~
binarycrusader
If you have specific feedback about areas that need improvement, I'm certain
the blog author would love to hear them. Ranting without justification isn't
likely to solve anything.

~~~
nwmcsween
I have worked on and used selinux, rsbac, smack and others, there is no area
to improve on rbac itself isn't usable or even secure compared to a capability
based system like capsicum.

~~~
binarycrusader
RBAC is a capability-based system, so I think you're confused.

Unless of course you're basing your claims on a definition of "capabilities"
that limits that application specifically to capsicum.

I would encourage you to read more about RBAC as it is not as limited as you
seem to be implying.

------
rbanffy
I somehow find it hard to believe Linus doesn't know about "sudo"...

~~~
klausa
Of course he knows.

Read his original rant, as babarock suggested:

[https://plus.google.com/u/0/102150693225130002912/posts/1vyf...](https://plus.google.com/u/0/102150693225130002912/posts/1vyfmNCYpi5)

~~~
zokier
I read the rant (again) and imho it seems like sudo could very well be used as
a solution to his problems ("need to have the root password to access some
wireless network, or to be able to print out a paper, or to change the date-
and-time settings"). From my point of view it seems like the real issue is bad
default configuration for sudo (or an alternative system).

~~~
mvip
The problem isn't that Linus isn't aware of sudo (of course he is), but a
stupid implementation in of the printer tool in OpenSUSE.

~~~
sciurus
Agreed. Does openSUSE use PolicyKit for CUPS like Fedora does, or does it
depend on lpadmin group membership?

[http://fedoraproject.org/wiki/Features/CupsPolicyKitIntegrat...](http://fedoraproject.org/wiki/Features/CupsPolicyKitIntegration)

