←back to thread

The state of Schleswig-Holstein is consistently relying on open source

(www.heise.de)
597 points doener | 1 comments | 07 Dec 25 13:21 UTC | HN request time: 0s | source
Show context
mapontosevenths ◴[07 Dec 25 14:24 UTC] No.46181864[source]
Its been a very long time since I was a Sysadmin, but I'm curious what managing a fleet of Linux desktops is like today? Has it vastly improved?

When I last tried in a small pilot program, it was incredibly primitive. Linux desktops were janky and manual compared to Active Directory and group policy, and an alternative to Intune/AAD didn't even seem to exist. Heck, even things like WSUS and WDS didnt seem to have an open version or only had versions that required expensive expert level SME'S to perform constant fiddling. Meanwhile the Windows tools could be managed by 20 year old admins with basic certitifcations.

Also, GRC and security seemed to be impossible back then. There was an utter lack of decent DLP tools, proper legal hold was difficult, EDR/AV solutions were primitive and the options were limited, etc.

Back then it was like nobody who had ever actually been a sysadmin had ever taken an honest crack at Linux and all the hype was coming from home users who had no idea what herding boxen was actually like.

replies(5): >>46181979 #>>46182272 #>>46182348 #>>46183765 #>>46186223 #
1718627440 ◴[07 Dec 25 15:24 UTC] No.46182348[source]
I think this comes primarily from trying to add a separate management tool on top, instead of leveraging the OS structure themself. There is a reason, why most directories are specified to be readonly. Also writable XOR persistent is mostly true. The only things required to be writable are /tmp, /var and /home. /tmp is wiped at least on every boot or is even just a ramdisk. /var can be cached or reset to the predefined settings on boot. /home needs to be managed, that is true. But you wouldn't want every users directory on every host anyway, instead you want to populate them on login. That is typically done by libpam.

/usr is expected to be shared among hosts, host-specific stuff goes into /usr/local for a reason, and as a sysadmin you can decide to simply not have host specific software.

EDR/AV is basically unnecessary, when you only mount things either writable or executable. And you don't want the users to start random software or mount random USB-sticks anyway.

> Back then it was like nobody who had ever actually been a sysadmin had ever taken an honest crack at Linux and all the hype was coming from home users who had no idea what herding boxen was actually like.

Unix has over 50 years of history of being primarily managed by sysadmins instead of home users. While Linux is not Unix, it has inherited a lot. The whole system is basically designed to run a bunch of admin configured software and is actually less suitable for home users. I would say the primary problem was accessing it with a Windows mindset.

replies(4): >>46182491 #>>46182560 #>>46184305 #>>46184825 #
GoblinSlayer ◴[07 Dec 25 19:26 UTC] No.46184305[source]
> And you don't want the users to start random software

python ~/my.py

wget | bash

replies(1): >>46184500 #
1. 1718627440 ◴[07 Dec 25 19:47 UTC] No.46184500[source]
I guess you wouldn't install wget in that installation and patch programming languages to follow the executive bit or also remove them.

Also you can't make it physically impossible for employees to not e.g. screenshot things and take them home. You can forbid it and try to enforce it, but some amount of trust is needed.

Willing action needs to be taken for what it is, an deliberate action by that user. If that user is allowed to access that data, than I don't see what is wrong with him doing that in an automated way.