Sunday, August 26, 2012

A Linux state of mind

A admin friend of mine asked me some time ago whether I knew how to prevent a user from burning a DVD on their office PC. I told him that was easy. Simply remove the user from the group that is able to use cdrecord and set the execution permission to only the user and group. Most distros have a cdburning group. Remove the user from that group and the user can't burn a CD or DVD but he can still read them. My friend looked at me like he was going to eat me alive.
He meant on Windows.
I sincerely didn't know but I did have some ideas. We talked about some ways including editing the registry and removing the service that is used to burn CDs. The problem stemmed from the fact that the PCs came with the software pre-installed. While it wasn't a problem, in the past, the users recently figured out how to do it and were doing it in the office, causing some concerns with some managers. The discussion went on and on and degenerated into finding the driver files and deleting them. At this point, I told him to stop and offered a more pragmatic solution: Remove the DVD writing software. If you don't have the software, then they can't write to the DVD. This seemed to suit him. I think he'll have to set up some group policy to stop the software from running, propagate that and hope for the best. And that the users don't figure out how to download and install their own DVD writing software.
He we talked recently and he noted that removing the DVD writing software worked. I asked him why only now was this a problem. He told me that some users learned a torrent was and were downloading and burning DVDs.
It was my turn to want to eat him alive.

I explained to him in my clam voice that the problem was neither the DVD writing nor the torrents. It is the policy and it's enforcement. Users in a business environment must understand that the PC in front of them is not a personal PC, unlike the one at home. It is a business tool that has limits on it's use. What governs that use is the company's IT policy. And a policy is effective only when it is enforced and enforced equally.
He explained that while his company has an IT policy, enforcing it was difficult because people there used to doing what they want on their PCs. Worst of all, managers view enforcement as meddling in their domain.
Therein lies the philosophical difference. While the Windows world is all about no barriers to what users can do, Linux (and inherited from Unix) is all about starting with limits. To gain control over Windows, barriers have to be erected and enforced. To do the same in Linux is not needed, control is there from the beginning. Barriers just needed to be lifted where required. The philosophy is to grant what the users needs bit by bit.
How simple that makes everything, DVD burning control included.

No comments:

Post a Comment

Recently Popular