Re: [Tails-dev] Hide internal drives when no admin password …

Delete this message

Reply to this message
Autore: Peter N. Glaskowsky
Data:  
To: The Tails public development discussion list
Oggetto: Re: [Tails-dev] Hide internal drives when no admin password has been entered
> On Jun 11, 2015, at 9:38 PM, tailor1@??? wrote:
>
> Please see this feature request in the Tails repository > Local storage devices displayed- Tails DVD no admin (https://labs.riseup.net/code/issues/9554) where intrigeri suggested raising this issue on the mailing list.
>
> The basic premise being that hiding the internal drives in working in what I call "safe mode" (booting with no admin privileges) to be more consistent with Tails goals and objectives of consistensy than it is to show them.



From a UX perspective, I am curious what the reasoning is behind the policy of associating access to local storage devices with the entry of an arbitrary admin password.

In reality, there is no particular connection there. We can presume someone somewhere has the legal or moral authority to access the internal drives, but we have no basis to conclude that the current user is or is not authorized.

This gives us two failure modes from one policy: A) an authorized user fails to gain access because he or she did not enter an admin password; B) an unauthorized user gains access by entering an admin password.

Because the policy connects unrelated concepts, it can also mislead users. Someone might boot Tails without an admin password, not see the local drives, and assume that because Tails is a security-oriented OS, it never shows internal drives. Or someone might assume that Tails is like other Linux live distros that always give access to internal drives based on booting once with an admin password.

I’m also curious whether internal storage devices are truly locked out if the current user didn’t enter an admin password. Is it just that we don’t auto-mount the filesystems, or is it more secure than that?

I think I’d prefer that we adopt a policy of not displaying the presence of (or auto-mounting) internal drives regardless of whether an admin password is entered at boot time.

If a password has been entered, we should provide an admin-only function, whether in the GUI or on the command line, or both, that allows users to discover and mount these drives.

If no password has been entered, this function should not be operable.

This solution avoids associating unrelated concepts and largely eliminates the potential for confusion.

I’m entirely willing to have my mind changed by better arguments, of course. :-)

.               png