Re: Design principles and ethics

[Jonathan S. Shapiro]

On Sun, 2006-04-30 at 21:21 +0200, Tom Bachmann wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Jonathan S. Shapiro wrote:
> > Apparently I did not see it. Here is the essential question:
> > 
> > /sbin/passwd requires the authority to write the password database,
> > which the user does not have.
> 
> Wrong. In my proposal she has the authority because there is no real
> ``password database''. There is just a file (say ~/.passwd) that
> contains the hash of the users password.

So you propose that the system-wide login process should have the
ability to read all of these files, but each user should have the
ability write their own?

This is clever. How do you propose to address the following issues?


1. There are overwhelmingly compelling reasons to set policies against
stupid passwords. This is why cracklib exists -- one bad password
endangers an entire system. This implies that even if the user owns the
password file, we wish to restrict the conditions under which that file
can be written. Indeed, using a purely user-defined authentication
methods are a bad idea because of this.

2. I'm not sure how something like 'su fred' would be implemented in
this style of system.

3. What happens when the user accidentally deletes their password file?


shap