Hi,
>
> intrigeri:
> The way I understand this family of security/UX designs, sadly they
> don't fix all problems, and to be safe one needs at least one of:
>
> * privileged *apps* that have fine-grained permissions (e.g. my VoIP
> software would be allowed to control microphone volume levels); in
> this case it means that every piece of the desktop that allows the
> user to control the microphone volume would need to be itself
> allowed to do that; that's essentially the Android model; and
> technically speaking, it works best with 1 app = 1 UID, doesn't
> match how current Linux distros and desktop environments work, and
> doesn't cut it for strongly integrated bits of UI that need to all
> run under a single UID such as widgets integrated in the GNOME top
> bar;
>
> * a privileged helper, that once invoked by the application (e.g.
> after the user clicked "Save link as"), itself calls back to the
> user to ask them what they really want to do (e.g. in some
> graphical file chooser); this works fine for processes that are
> inherently two-step ones, such as opening or saving files; however,
> this seems not that good for things the user would typically expect
> to be one-step actions, such as changing some mixer level: not sure
> the UX would be great for this scenario:
>
> Given I am running Tails
> When I unmute the microphone volume in any application
> [note that said application is *not* allowed to do that
> itself]
> Then I am asked for confirmation
> [by the privileged helper]
>
> ... in this case, asking for confirmation feels quite backwards
> wrt. the initial goal of letting the user indicate what they wish
> to see happen, and then, well, make it happen without additional
> security-specific nagging they'll click through anyway.
>
This (Android vs Windows) seems more like permanent vs temporary, even
though the temporary permissions can often be extended into permanent
rules (similar to Little Snitch), which is more or less a hybrid
permissions model.
I do not think the hybrid model limits the Tails experience in any way.
It also feels like managing UID permissions instead of application
permissions addresses the issue, as multiple processes can be grouped
under one UID.
Firefox handles one-step processes by presenting options, which turns
the one-step process into a two-step process, as in "Do you want to
allow access to your microphone? [Yes] [No]". An added 'Set Globally'
or something similar, would make this (and other first-run
applications/processes) more usable.
Basically, do both. Would this work?
Wordlife,
Spencer
