On 2019-11-29 23:39, Trevor Cordes wrote:
I agree that EACCES should not be a thing when running as root. In fact, I'm a firm believer in "root being able to do everything" on Linux [...] Adam vehemently argues the opposite :-)
I most certainly do not! I think SELinux is an abomination whose entire concept needs to die a fiery death, and I'm not exactly stoked about Capabilities, either. What I have said is that many large organizations, especially those subject to periodic audits and/or who need check-box compliance for e.g. PCI et al., *NEED* those capabilities so that they can continue using UNIX.
When you get into a hierarchical, centrally-managed model, things change again - there are valid use cases for wanting the local system "owner" to have root access and be able to do most root-ish things, but not absolutely everything. Network configuration is a common example - it's pretty hard to trust your network when you can't trust that all the systems on it have correct network settings. And if you give the average programmer root access, they WILL screw up the network in some new and interesting never-before-seen way. Go ahead, ask me how I know :-).
Most of the time, technical users "need root" in order to start a daemon that binds to a low port. Or maybe to change printer configuration. There's a lot of crap that still can't be effectively managed by non-root users on modern UNIX desktops. (MacOS being the obvious exception here.) If I want to give a programmer a laptop running Fedora, and have them use it everywhere and anywhere ('cuz, you know, it's a LAPTOP) then I pretty much have no choice but to give them root access to manage networks and printers and displays/peripherals. That's often undesirable.
That's not to say the superuser paradigm is at fault - all those things COULD very well be accomplished without root permissions (not even sudo!), if the relevant subsystems had been designed with that in mind. I'm still perfectly OK with the superuser paradigm, I blame the mid-layers for most of its *supposed* shortcomings.
-Adam