Tuesday, May 25, 2010

Fedora 13 is out

If you have been following my recent posts about Fedora 13 beta, you may be interested to know that Fedora 13 is out now!

Looking through the list of changes for desktop users in Fedora 13, everything I've talked about in my other posts is there. I'm planning to install it on my laptop (really, my USB flash drive) later this week.

Thursday, May 20, 2010

It's called sudo

Sometimes, I get email spam that is too interesting to delete immediately. Here's one that arrived at my work account, advertising a free "webinar" about a security product:
Organizations can no longer tolerate the security risks posed by intentional, accidental or indirect misuse of privileges. However, organizations need to provide the extended enterprise with necessary privileges within specified guidelines to do their job safely.

You will learn how to securely delegate privileges and authorization without disclosing the root password, including [...]
Maybe I wasn't aware that people didn't know how to do this already, so I'll explain it here. In Unix and Linux systems, this is managed using the "sudo" command.

With sudo, a systems administrator can delegate the ability to run certain commands as though the user were root. (In Unix, root is the administrator of the system.) Only certain commands are allowed, as designated by the real systems administrator. You can even specify which command line options are permitted.

For example, in a corporate environment, a systems administrator often just manages the operating system, and a separate web server administrator is in charge of managing the technical components of a web site. We do this where I work. So root can set up sudo so the web server administrator can start, stop, and restart the "httpd" service. That's all the web server administrator can do - they can't do anything else as root.

Most importantly, sudo allows you to share access to specific users. So users ben and mike can restart a web server, because they're the only people on the web server administrator team - but not users fred or sharon.

The ben user would type this at the "$" command line prompt:
$ sudo service httpd restart
Or maybe the systems administrator set up a single command to restart the web server. In that case, the command might be:
$ sudo web-restart
On my personal Linux system, I never login as root anymore, so I use sudo for those (rare) times that I need to do something "administrative" at the command line. (I don't often work at the command line these days, but sometimes I like to exercise my "sysadmin" background.)

In my case, I configured the sudo command (/etc/sudoers) to allow my general user login to run any command as root, but only if I provide my password. It's easy! You can also set up sudo to not require a password for certain users or for certain commands, but I prefer to require a password - if only to remind me that I'm about to become the root user.

For when you're working in the GUI, Linux uses PolicyKit to do something similar. That's why you can change the date and time on a Linux desktop without having to login as root.

Note that Windows has something similar to sudo, called runas ("Run As"). In Windows Vista and Windows 7, this is User Account Control, or "UAC". But runas (or UAC) is actually less secure than sudo. When you want to run an "administrative" command using runas, you will be prompted to provide the password for Administrator. So to delegate authority and privilege to your users, everyone needs to have shared access to the Administrator password.

I guess that's another way in which Linux does things a bit better.

Saturday, May 15, 2010

About openness

While I've been away these last 2 weeks, I've watched the Apple/Adobe fight very closely. At issue: Apple doesn't support Flash on the iPad, iPhone, or iPod Touch. Adobe, the parent company behind Flash, isn't at all happy with Apple's decision. So they fight it out in the press. In the latest move, Adobe ran "We ♥ Apple" ads in The New York Times and The Wall Street Journal, pressing their side of the argument.

If you want to read Apple and Adobe's opinions directly: Steve Jobs posted his thoughts on Flash, and Adobe shared their thoughts as well.

I find it very interesting to note what both sides claim is the core issue: Openness.

Steve Jobs leads with this issue, saying:
First, there’s “Open”.

Adobe’s Flash products are 100% proprietary. They are only available from Adobe, and Adobe has sole authority as to their future enhancement, pricing, etc. While Adobe’s Flash products are widely available, this does not mean they are open, since they are controlled entirely by Adobe and available only from Adobe. By almost any definition, Flash is a closed system.

Apple has many proprietary products too. Though the operating system for the iPhone, iPod and iPad is proprietary, we strongly believe that all standards pertaining to the web should be open. [...]
John Warnock and Chuck Geschke (Adobe) directly address Openness too:
If the web fragments into closed systems, if companies put content and applications behind walls, some indeed may thrive — but their success will come at the expense of the very creativity and innovation that has made the Internet a revolutionary force.

We believe that consumers should be able to freely access their favorite content and applications, regardless of what computer they have, what browser they like, or what device suits their needs. No company — no matter how big or how creative — should dictate what you can create, how you create it, or what you can experience on the web.
Both companies are being one-sided here, but Apple's response annoys me. Steve starts out by talking about how proprietary/closed products are bad, then in the next paragraph twists his case into a web context.

But isn't it interesting that these two companies can talk so baldly about Openness, without addressing the question: "Can it really be 'open' if the source code remains closed?"

Actually, Adobe did briefly address this in another post, but it didn't get much press. Here's what they say about it:
The core engine of Flash Player (AVM+) is open source and was donated to the Mozilla Foundation, where it is actively maintained. The file formats supported by Flash Player, SWF and FLV/F4V, as well as the RTMP and AMF protocols are freely available and openly published. Anyone can use the specifications without requiring permission from Adobe. Third parties can and do build audio, video, and data services that compete with those from Adobe.

There are no restrictions on the development of SWF authoring tools, and anyone can build their own SWF or FLV/F4V player.

Flex, the primary application framework for the Adobe Flash Platform, is also open source and is actively maintained and developed by Adobe and the community.

Finally, the Flash Platform has a rich developer ecosystem of both open and proprietary tools and technologies, including developer IDEs and environments such as FDT, IntelliJ, and haXe; open source runtimes such as Gnash; and open source video servers such as Red5.
So Adobe can get some credit, here, for their claim of Openness. It's not a full pass from me, but the "core engine" and an open spec are notable steps.

If we're going to make serious arguments about Openness, we really need to talk about "Free / Open Source Software." It's not just about choosing between option A and option B, where you can't really modify either to suit your needs.

The basic definition of Free / Open Source Software is that the source code must be made available for others to see it. A necessary side-effect of this condition is that anyone who uses the program has an opportunity to make improvements. A well-managed project will accept any improvements in the form of patches, which modifies the program to solve someone else’s slightly different (but similar) problem. Releasing new versions of the software with the new features ensures that everyone benefits from these changes.

That's why I prefer to use Free / Open Source operating systems such as Linux. The user community has total freedom; the software can never turn against you. It only takes one person with enough vision and motivation to deliver another option that benefits everyone. And since the source code remains open, it continues to benefit the community after that person is done.

In a prettier-but-closed system, à la Apple's "walled garden", you are subject to the whims of whoever brings you the software. Mac users and developers who may be unhappy with Apple's decision not to support Flash will just have to wait for Apple to change their minds. But they may not want to hold their breath.