Some quick suggestions for Linux Mint 18

Suggestions and feedback for Linux Mint and the forums
Forum rules
Do not post support questions here. Before you post read: Where to post ideas & feature requests
Post Reply
Yfrwlf
Level 3
Level 3
Posts: 172
Joined: Sat Jun 08, 2013 7:46 pm

Some quick suggestions for Linux Mint 18

Post by Yfrwlf »

1. Password prompt changes:
a. Completely automated update option, requiring no password prompting or manual updating.
b. Policykit or some such thing with a time-out to avoid having to enter password multiple times in rapid succession. (For example, you open Software Manager, then try to perform updates, having to enter your password twice. With a Policykit time-out like Ubuntu has, you'd only have to enter it once.)
c. Make Software Manager only ask for a password when you attempt to install or remove a package. I know it's a program that launches with root privs right now, but if integrated with Policykit like Ubuntu's Software Center you could browse apps without having to put in your password first.
d. Is there a secure way to get rid of password prompts altogether and instead have the "allow" prompt similar to Windows? If the system for it could be made secure, the only insecurity I see would be the threat of someone using your computer while you're away, but you should be locking the screen in that case. Perhaps this decision was intentional, but I can't help but feel it was overly anal as, again, users should really lock their screens when around someone they don't trust, and if an untrusted party has access to their computer they could do something else malicious.

2. Automatically pull from closest software sources in parallel. While the prompt for local sources and ping thing is all awesome, it could all be automated by default so users don't have to worry about it, and it could pull from multiple sources so that updates are downloaded much more quickly. There could be an "automatic" option somewhere in the sources config for this.

3. High DPI improvement: In Ubuntu 16.04 they have a slider for scaling the entire desktop, just in case you want more desktop real estate and want windows to be smaller on your big 4K monitor than "double". They also have it in the "display" section instead of "general" which seems more appropriate.

4. Indexing of your files. I'm not sure why I find updatedb.mlocate running every now and then indexing stuff when the Linux Mint panel doesn't allow searching through any local files besides the 20 or so most recent files opened. This is a feature I loved about Unity's "lens", being able to pull up any movie, song, document, etc from the menu. Ubuntu has an option to disable this indexing if someone doesn't want it.

5. Is Mint's SAMBA "secure" file sharing broken by default? I've always had to use the "Guest access" option because I could never get sharing working without it. It seems broken by default although I'm sure there is some way to get it working with some tweaks, but it should work out-of-the-box.

Just some ideas! :D
Thoughts?
Cosmo.
Level 24
Level 24
Posts: 22968
Joined: Sat Dec 06, 2014 7:34 am

Re: Some quick suggestions for Linux Mint 18

Post by Cosmo. »

Regarding passwords:

The behavior that you suggest for the software manager was already there in the past, with the annoying result, that you had to enter the password for every single install / uninstall operation.

The password is indeed needed for the backend of the GUI-package tools. If the password would be cached as you suggest it would mean, that an attacker could use this to (un)install anything from the distant.
Yfrwlf
Level 3
Level 3
Posts: 172
Joined: Sat Jun 08, 2013 7:46 pm

Re: Some quick suggestions for Linux Mint 18

Post by Yfrwlf »

Cosmo. wrote:Regarding passwords: The behavior that you suggest for the software manager was already there in the past, with the annoying result, that you had to enter the password for every single install / uninstall operation.
I remember that, the current situation is an improvement, but not as good as Ubuntu's solution.
Cosmo. wrote:The password is indeed needed for the backend of the GUI-package tools. If the password would be cached as you suggest it would mean, that an attacker could use this to (un)install anything from the distant.
If an attacker has access to your user account, they can capture your key presses anyway and you're already compromised? Otherwise, perhaps you're arguing the security of Policykit vs. a program running as root, and without understanding how Policykit works I can't comment on that. I'm sure there are many arguments why each system could be more or less secure.
altair4
Level 20
Level 20
Posts: 11433
Joined: Tue Feb 03, 2009 10:27 am

Re: Some quick suggestions for Linux Mint 18

Post by altair4 »

5. Is Mint's SAMBA "secure" file sharing broken by default? I've always had to use the "Guest access" option because I could never get sharing working without it. It seems broken by default although I'm sure there is some way to get it working with some tweaks, but it should work out-of-the-box.
I'm not sure what that means so the answer is: No it's not broken by default.

If by "secure" you mean not accessible without the client passing credentials it's the same as it's always been pretty much everywhere:

** You need to create local Linux users representing the client users.
** Then add those users to the samba password database.
** And you need to make sure that the Linux permissions of the shared folder is consistent with whatever privileges the samba client user was granted. If you are using usershares ( i.e., nemo-share ) it will do that automatically.

Except for the middle one about samba password database I could make the same observation about creating "secure" shares on Windows.
Please add a [SOLVED] at the end of your original subject header if your question has been answered and solved.
Yfrwlf
Level 3
Level 3
Posts: 172
Joined: Sat Jun 08, 2013 7:46 pm

Re: Some quick suggestions for Linux Mint 18

Post by Yfrwlf »

altair4 wrote:
5. Is Mint's SAMBA "secure" file sharing broken by default? I've always had to use the "Guest access" option because I could never get sharing working without it. It seems broken by default although I'm sure there is some way to get it working with some tweaks, but it should work out-of-the-box.
I'm not sure what that means so the answer is: No it's not broken by default.

If by "secure" you mean not accessible without the client passing credentials it's the same as it's always been pretty much everywhere:

** You need to create local Linux users representing the client users.
** Then add those users to the samba password database.
** And you need to make sure that the Linux permissions of the shared folder is consistent with whatever privileges the samba client user was granted. If you are using usershares ( i.e., nemo-share ) it will do that automatically.

Except for the middle one about samba password database I could make the same observation about creating "secure" shares on Windows.
It's "broken", because sharing out a folder with the current account credentials doesn't work when simply using the nemo-share GUI. Nemo-share needs to perform the additional step of adding the current user's credentials to the samba password database in that case. Otherwise, the GUI is showing it is shared out when it actually isn't, and that's horribly confusing for new users who have no idea they need to edit the samba database manually to complete the process.
altair4
Level 20
Level 20
Posts: 11433
Joined: Tue Feb 03, 2009 10:27 am

Re: Some quick suggestions for Linux Mint 18

Post by altair4 »

There is no other way. The only thing that comes closest to that scenario is the way Ubuntu does it and only if you choose to do it. Ubuntu doesn't install the Samba server by default but if you try to create a share in Nautilus it will install it and it will also ask you this question:
smbpass.png
Should you choose to do so it will install and that package has only one function: It assigns to the Linux user a samba password that matches his Linux logon password.

Once upon a time Ubuntu would install that package automatically when it installed the rest of samba but they got so much flak over it that now it asks if you want it installed.

Perhaps instead of saying something like "Is Mint's SAMBA "secure" file sharing broken by default?" you should ask for that package to be installed by default. It will drive users like me crazy since I'll have to go out of my way to remove it but every distro has quirks.
Please add a [SOLVED] at the end of your original subject header if your question has been answered and solved.
Yfrwlf
Level 3
Level 3
Posts: 172
Joined: Sat Jun 08, 2013 7:46 pm

Re: Some quick suggestions for Linux Mint 18

Post by Yfrwlf »

altair4 wrote:There is no other way. The only thing that comes closest to that scenario is the way Ubuntu does it and only if you choose to do it. Ubuntu doesn't install the Samba server by default but if you try to create a share in Nautilus it will install it and it will also ask you this question:
smbpass.png
Should you choose to do so it will install and that package has only one function: It assigns to the Linux user a samba password that matches his Linux logon password.

Once upon a time Ubuntu would install that package automatically when it installed the rest of samba but they got so much flak over it that now it asks if you want it installed.

Perhaps instead of saying something like "Is Mint's SAMBA "secure" file sharing broken by default?" you should ask for that package to be installed by default. It will drive users like me crazy since I'll have to go out of my way to remove it but every distro has quirks.
If the point of Linux Mint is to be as user-friendly as possible, having it installed by default is probably a good idea. At the very least, it should ask to install it when a user tries to create a share that isn't open to "guest" access, because otherwise the default desktop isn't as user-friendly and can just be frustrating when trying to connect to a share from another device. That unfriendliness pushes users to choose the guest option which means less security by default.

Thanks for the comments and discussion by the way! :D
altair4
Level 20
Level 20
Posts: 11433
Joined: Tue Feb 03, 2009 10:27 am

Re: Some quick suggestions for Linux Mint 18

Post by altair4 »

The only possible use case for installing libpam-smbpass by default would be for a production Server which Mint is not.

And that would only be as a convenience for the SysAdmin so that he wouldn't have to populate the samba password database manually. But a Server Admin wouldn't be creating users with local sign on passwords so even there I don't think it would be of much use.

In every other way it's a security problem. If I create a user named ... agnes ... and make the mistake of giving her a local login password libpam-smbpass would then create a samba password that matches it. Great. So now Agnes not only has access to the samba shares on this box but has access access to the physical box itself.

If I create a user agnes and don't give her a local login password libpam-smbpass would fail to create the samba password. I could create a user agnes and give here a made up password I suppose but this is getting to be a lot of work on my end. Certainly much more work than just adding agnes to smbpasswd.

At the end of the day it doesn't matter I suppose. If it's installed by default I'll just add it to the list of changes I have to make to Mint on a fresh install.

I probably should have mentioned that I'm one of the ones that successfully lobbied Ubuntu to drop the automatic install of libpam-smbpass. I wanted it dropped entirely but at least now it asks if you want it to install
Please add a [SOLVED] at the end of your original subject header if your question has been answered and solved.
Yfrwlf
Level 3
Level 3
Posts: 172
Joined: Sat Jun 08, 2013 7:46 pm

Re: Some quick suggestions for Linux Mint 18

Post by Yfrwlf »

The point is that Linux Mint should be user-friendly, and the desktop should be easy to use especially for new users. If the default experience is that sharing doesn't work unless they use the guest option or unless they perform several additional technical steps to fix it, then that's not a good experience.

I don't care how it gets fixed, but it's an obvious problem that needs to be fixed to make Linux Mint better and more user-friendly. I care about making Linux better. That's why I posted here. I want it to be the go-to replacement for Windows 10 for more users, and making it easier for them to do stuff without dropping to a terminal, installing one or more samba packages, configuring the password in the database because there is no mechanism to sync the current user's password with the smb database, etc, will help with that.

I'm trying to give possible solutions, but clearly there needs to be much better integration between desktop environments and NFS, SMB, and/or other file sharing services.
Cosmo.
Level 24
Level 24
Posts: 22968
Joined: Sat Dec 06, 2014 7:34 am

Re: Some quick suggestions for Linux Mint 18

Post by Cosmo. »

Yfrwlf wrote:
Cosmo. wrote:The password is indeed needed for the backend of the GUI-package tools. If the password would be cached as you suggest it would mean, that an attacker could use this to (un)install anything from the distant.
If an attacker has access to your user account, they can capture your key presses anyway
If a system is compromised, there is no sense to speak about security; there isn't any.
I wrote about a not compromised system.
Yfrwlf
Level 3
Level 3
Posts: 172
Joined: Sat Jun 08, 2013 7:46 pm

Re: Some quick suggestions for Linux Mint 18

Post by Yfrwlf »

Cosmo. wrote:
Yfrwlf wrote:
Cosmo. wrote:The password is indeed needed for the backend of the GUI-package tools. If the password would be cached as you suggest it would mean, that an attacker could use this to (un)install anything from the distant.
If an attacker has access to your user account, they can capture your key presses anyway
If a system is compromised, there is no sense to speak about security; there isn't any.
I wrote about a not compromised system.
Um, "from the distant" isn't a proper sentence, but if you meant a user somehow being able to remotely attack a system just because that system uses cached credentials, then that's completely wrong and silly to think.
Cosmo.
Level 24
Level 24
Posts: 22968
Joined: Sat Dec 06, 2014 7:34 am

Re: Some quick suggestions for Linux Mint 18

Post by Cosmo. »

No, I didn't mean, what you wrote, but what I wrote.

BTW, you dodge. Suddenly no word about capturing keypresses anymore.
User avatar
xenopeek
Level 25
Level 25
Posts: 29531
Joined: Wed Jul 06, 2011 3:58 am

Re: Some quick suggestions for Linux Mint 18

Post by xenopeek »

If you have input for/questions about Yfrwlf's suggestions you can share those here. If you have other suggestions kindly make your own topic for this. I've moved all the posts here about downgrading the kernel to viewtopic.php?f=18&t=218362&p=1142640#p1142640.
Image
xrhstaras

Please don't update to new xorg so the unfortunate amd owner could use fglrx for god's shake !

Post by xrhstaras »

Please don't update to new xorg so the unfortunate amd owners could use fglrx for god's shake !
We did the mistake to purchase an amd graphics card (even if we knew that sucks on linux) don't kill us !!!
Post Reply

Return to “Suggestions & Feedback”