| Rich Freeman via plug on 8 Apr 2021 18:26:42 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] that's nice |
On Thu, Apr 8, 2021 at 9:05 PM Fred Stluka via plug <plug@lists.phillylinux.org> wrote: > > But the policy that specifies the access control per key/folder > of the registry is itself stored in the registry. Right? Doh! > Sure, in the same way that a linux inode stores the owner/permissions attributes that indicate who is allowed to modify the inode. If the registry key says you're not allowed to modify the registry key, well, you can't modify the registry key, just as a non-root user can't run chown on a file they don't own, even though chown modifies the very record that contains the owner. I believe the registry files themselves are not editable by ordinary users (especially since they're going to be locked and in-use anytime the user is logged in). Fiddling with them from a rescue disk is of course possible, if the company isn't using full disk encryption. Sure, not all Windows sysadmins know how to actually admin Windows, but then again I'm sure there are plenty of Linux sysadmins out there who don't know what they're doing. If you deploy Linux desktops with the user having UID 0 then the user is obviously going to be able to fiddle with things. That is pretty analogous to giving users admin rights on Windows... Even in a less-secure configuration, the policy is going to get reapplied every time you log in, so you're still going to have to load that registry key every time you log in. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug