Torvalds blasts openSUSE, security policies

Security policies too intrusive, Linux creator argues

It's not often Linux creator Linus Torvalds makes a public statement about one of the distros he's using. But when he does, it's a doozy.

Yesterday on Google Plus, Torvalds posted a brief scourge aimed at the developers of the openSUSE distro, which apparently Torvalds runs on one of his personal laptops.

Or, at least he did.

Torvalds raised the issue of the security policy for that particular distro to request an administrative password at times Torvalds felt was unnecessary.

"I gave OpenSUSE a try, because it worked so well at install-time on the Macbook Air, but I have to say, I've had enough. There is no way in hell I can honestly suggest that to anybody else any more.

"I first spent weeks arguing on a bugzilla that the security policy of requiring the root password for changing the timezone and adding a new wireless network was moronic and wrong."

Yesterday's diatribe was not the first time Torvalds has raised this particular issue, and probably won;t the last. The straw that broke the camel's back for Torvalds was a call from one of his children at school, needing the admin password to add a printer to that laptop, a Macbook Air.

Torvalds' response to this was, as usual, strong:

"So here's a plea: if you have anything to do with security in a distro, and think that my kids (replace 'my kids' with 'sales people on the road' if you think your main customers are businesses) need to have the root password to access some wireless network, or to be able to print out a paper, or to change the date-and-time settings, please just kill yourself now."

While his admonishment was stronger than I would have worded, the basic premise for Torvalds' statement has much merit: from a usability standpoint, the security policy of openSUSE and other distros to require a password for such basic changes seems a bit much. My personal preference would e to have a password when something new tried to run on my machine, and that's about it.

But care should be taken when addressing this issue. After all, the security of Linux is something that has always been paramount within every distro, and relaxing security policies should only be done if that security is not compromised. I am not a security expert, so I don't know if the vectors Torvalds describes would be enough for a serious security breach, but I suspect not.

Perhaps an adjustable security policy should be put in place, which by default would be strong, but then could be customized to loosen things up a bit based on the user's preferences.

With the admin password, of course.

Read more of Brian Proffitt's Zettatag and Open for Discussion blogs and follow the latest IT news at ITworld. Drop Brian a line or follow Brian on Twitter at @TheTechScribe. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon