1731 Desktop on the Linux Slides

8/6/2019 1731 Desktop on the Linux Slides

1/168

Desktop on the Linux (and *BSD of course). . .youre doing it confused? weird? strange? wrong?

Wolfgang datenwolf Draxinger

27c3, 2010-12-27

Wolfgang datenwolf Draxinger () Desktop on the Linux (and *BSD of course). . .

27c3 1 / 77
http://find/http://goback/


2/168

DISCLAIMER

This talk is:

highly opinionated

biased

born out of frustration

. . . and anger


27c3 2 / 77


3/168

DISCLAIMER II

Linux is not Unix.

Nevertheless Ill mix the terms because Im just tolazy to distiguish everytime.

I hope youre okay with that.


27c3 3 / 77


4/168

DISCLAIMER II

Linux is not Unix.

Nevertheless Ill mix the terms because Im just tolazy to distiguish everytime.

I hope youre okay with that.

Wolfgang datenwolf Draxinger () Desktop on the Linux (and *BSD of course). . . 27c3 3 / 77


5/168


6/168

The situation

I work as a systems administrator:

Universitys physics student computers.

3500 users!

Im the problem solver there.

My pleasure hacking projects are about:

realtime graphics

realtime simulationsystems programming

a.k.a. game engines. highly optimized, resource aware code.



7/168

The situation



3500 users!



realtime graphics





8/168

The situation



3500 users!



realtime graphics





9/168


10/168

The situation



3500 users!



realtime graphics





11/168

Linux desktop distributions have become evil!

With each and every new version of OpenSuSE, Ubuntu, Fedora

problems got worse.

Most of the problems we encounter are attributed to automatisms.

Its no longer set and forget.



12/168



problems got worse.





13/168



problems got worse.





14/168

Modern Desktops have

Multimedia!



15/168

Your typical Multimedia Framework

Playback Module Graph



16/168

Provides huge number of modules.

"Fire and Forget" graph generator included.

unfortunately not quite stable.



17/168

Provides huge number of modules.

"Fire and Forget" graph generator included.

unfortunately not quite stable.



18/168

PhononMultimedia-Meta-API abstraction layer to access different

multimedia frameworks through a single API.

Has its own filter graph generator.

Designed to allow switching the backend in mid-operation (why?)Available backends (Linux) Xine VLC GStreamer (unmantained)

Filter graph building logic must be provided for every backend!



19/168








20/168








21/168








22/168








23/168

Designed as a better ESD: mix sound provide audio capture to multiple clients simultanously sound over network (e.g. alongside remote X11)

Became sort of a media framework of its own:Things like transferring the audio to a different

machine, changing the sample format or channel

count and mixing several sounds into one are easily

achieved using a sound server.

[PulseAudio homepage]



24/168

Designed as a better ESD: mix sound provide audio capture to multiple clients simultanously sound over network (e.g. alongside remote X11)

Became sort of a media framework of its own:Things like transferring the audio to a different

machine, changing the sample format or channel

count and mixing several sounds into one are easily

achieved using a sound server.

[PulseAudio homepage]


Functionality Matrix


25/168

Functionality Matrix


Lets hear some music


26/168

Let s hear some music


Hey Phonon! and GStreamer


27/168

Hey Phonon! . . . and GStreamer


PulseAudio is my destiny


28/168

PulseAudio is my destiny


and beyond.


29/168

. . . and beyond.


How can those matched?


30/168

How can those matched?


Thats what theyd accept!


31/168

That s what they d accept!


. . . among other things.


32/168

g g


But, well.


33/168

,



34/168

Logins Complicated


Tasks of a X Display Manager


35/168

p y g

Start X11 server, setup MIT-Cookie (XAUTHORITY)

Show Greeter, Login Dialog

(optional) Allow for choosing desktop environment and localizationoptions

(historically) provide XDMCP dont use this nowadays (insecure)


Tasks of a X Display Manager


36/168

Start X11 server, setup MIT-Cookie (XAUTHORITY)

Show Greeter, Login Dialog

(optional) Allow for choosing desktop environment and localizationoptions

(historically) provide XDMCP dont use this nowadays (insecure)



37/168

User Interaction


38/168

enter username

enter password

maybe set session type and localizationAll in all a very short experience.

The less interaction, the better.


User Interaction


39/168

enter username

enter password




User Interaction


40/168

enter username

enter password




GDM 2.21


41/168

Its modal (users tend to mistake it for a screen lock).

Starts a full blown Gnome session for a simple login.

Offers less configuration options than older versions.


GDM 2.21


42/168





GDM 2.21


43/168





GDM 2.21


44/168






45/168

GDM 2.21 A Gnome session highlighted


46/168



47/168

GDM 2.21 Why a Gnome session?


48/168

By default, GDM is shipped with files which will autostart

the gdm-simple-greeter login GUI greeter itself, the

gnome-power-manager application, the

gnome-settings-daemon, and the metacity window manager.These programs are needed for thegreeter programto work.

[GDM documentation]



49/168


50/168

Why do we need it?


51/168

Defining the ProblemTo be written.

Relevant artTo be written.

[ConsoleKit documentation (2010-12-25)]

http://www.freedesktop.org/software/

ConsoleKit/doc/ConsoleKit.html


So what does it do?
http://www.freedesktop.org/software/ConsoleKit/doc/ConsoleKit.htmlhttp://www.freedesktop.org/software/ConsoleKit/doc/ConsoleKit.htmlhttp://www.freedesktop.org/software/ConsoleKit/doc/ConsoleKit.htmlhttp://www.freedesktop.org/software/ConsoleKit/doc/ConsoleKit.htmlhttp://find/http://goback/


52/168

Its a Seat aware session manager.

A Seat: Input Devices Output Devices

Permissions per User (Alice may play music, Bob may burn DVDs)Tracks the user

Grants permissions dynamically

It uses D-Bus!


So what does it do?


53/168





It uses D-Bus!


So what does it do?


54/168





It uses D-Bus!


So what does it do?


55/168





It uses D-Bus!


27c3 31 / 77


56/168


57/168


58/168


59/168


60/168

Im sorry to tell you, but its broken!


61/168

Unix Philosophy: Somethings either a process, or a file.

File permissions and ACLs only applied upon open.

Once you got an FD, permissions and ACL dont apply anymore.

ConsoleKit is easily circumvented

Oh, and when it fails, youre borked.

(Live Demo)


27c3 32 / 77


62/168


63/168

D-Bus


27c3 34 / 77


64/168


65/168

A unified IPC mechanism


66/168

D-Bus was originally intended to serve as a unified Desktop IPC.

Was soon expanded to serve as a system wide message passing

system.


27c3 36 / 77

A unified IPC mechanism


67/168

D-Bus was originally intended to serve as a unified Desktop IPC.

Was soon expanded to serve as a system wide message passing

system.


27c3 36 / 77


68/168

So, everything is fine, rainbows and unicorns, right?!

To me, the whole thing doesnt look right.


27c3 37 / 77


69/168

Java-esque naming


70/168

D-Bus uses names like

org.freedesktop.Hal.Manager

/com/mycompany/TextFileManager recommended to use domain name.


27c3 38 / 77

Narcistic Namespacing


71/168

Names dont reveal the functionWithout functional grouping each servicehas its very own

interface

What if a Name gets changed? Ethereal Wireshark wxWindows wxWidgets

Just take a short look at Linux SysFSfor an example of usefull

namespacing.


27c3 39 / 77



72/168


interface



namespacing.


27c3 39 / 77



73/168


interface



namespacing.


27c3 39 / 77



74/168


interface



namespacing.


27c3 39 / 77


75/168


76/168


77/168


78/168

Must be setup additionall to X11


79/168

session bus is independent from X11

every GUI program has to do multiple bookkeeping X11 D-Bus

ssh -X. . .

, what about that?

Nothing impossible to implement, but this adds complexity, for only little

gain.

Wolfgang datenwolf Draxinger () Desktop on the Linux (and *BSD of course) 27c3 41 / 77



80/168



ssh -X. . .

, what about that?


gain.




81/168



ssh -X. . .

, what about that?


gain.




82/168



ssh -X. . .

, what about that?


gain.


D-Bus is FreeDesktops Hammer


83/168

Each and everything done by FreeDesktop is tied to D-Bus somehow.

Even things where D-Bus makes no sense if you think about it.

Case in Point: Status Notifier ItemsYou know, SysTray.




84/168







85/168







86/168





System Tray


87/168

Old method: SysTray is a special kind of sub-window manager.

Each item a own X11 window one could use everything X11

provides to draw it serverside. (GPU acceleration FTW)

It works for every X11 client, independent of host, transport andconnection.


Status Notifier


88/168

Status Notifier uses D-Bus for transport, items are transported as

uncompressed pixmaps. (Dynamic Updates?)

Status Notifier only available to programs having access to the

D-Bus (remember, remote X11 vs. D-Bus).



89/168

If you care about common look and feel: Define user interface

guidelies, provide a common library.

Thats actually done by GTK+ and Qt (the library thing).



90/168

If you care about common look and feel: Define user interface

guidelies, provide a common library.

Thats actually done by GTK+ and Qt (the library thing).


27c3 45 / 77

That horse can carry only so much.


91/168

D-Bus doesnt scale!

Theres actually been made the suggestion to give Linux a new special

D-Bus socket type, to overcome routing bottlenecks.


27c3 46 / 77

That horse can carry only so much.


92/168

D-Bus doesnt scale!

Theres actually been made the suggestion to give Linux a new special

D-Bus socket type, to overcome routing bottlenecks.


27c3 46 / 77

There are better tools


93/168

Instead of D-Bus we could use IPv6 Node Local Multicast.

scales well

can be versatilely routed (address rewriting)

cryptographic batteries included (IPv6 mandates IPSec)

no single point of failure (D-Bus daemon) well, the kernel maycrash, but then youve got other problems.

This idea courtesy by Fefe.


27c3 47 / 77



94/168


scales well






27c3 47 / 77



95/168


scales well






27c3 47 / 77



96/168


scales well






27c3 47 / 77



97/168


scales well






27c3 47 / 77



98/168


scales well








99/168


scales well







100/168

PolicyKit


What is PolicyKit


101/168

PolicyKit is an application-level toolkit for defining andhandling the policy that allows unprivileged processes to

speak to privileged processes: It is a framework for

centralizing the decision making process with respect to

granting access to privileged operations for unprivileged

applications. PolicyKit is specifically targeting applications inrich desktop environments on multi-user UNIX-like operating

systems.

[PolicyKit homepage]


PolicyKit


102/168

Oftenly compared to sudo sudoescalates PolicyKitauthorizes

Uses D-Bus. . .


PolicyKit


103/168

Oftenly compared to sudo sudoescalates PolicyKitauthorizes

Uses D-Bus. . .


Authorizing means

A program capable of privileged action is commaned to perform a


104/168


task.

Before this task is performed, PolicyKit is used to ask the user forpermission If the user itself has no permission Deny

The privileged programm is running all the time, or started bypkexec

To me this sounds prone to logic errors on the privileges programm

side.

Could we attack the privileged program through the action request?


Authorizing means



105/168


task.




side.



Authorizing means



106/168


task.




side.



Authorizing means



107/168


task.




side.



Authorizing means



108/168


task.




side.



Authorizing means



109/168


task.




side.



Authorizing means



110/168

p g p p g p

task.Before this task is performed, PolicyKit is used to ask the user forpermission If the user itself has no permission Deny



side.



Asking per task is a bad idea anyway


111/168

The whole thing is much like Windows UAC: The user gets nagged

about authorizing this and that everytime.

Entering privileged realms itself should be protected.

Privileged stuff should not be required to be set so oftenly, that a

convenient way to ask the user is required at all.




112/168









113/168








114/168

Automatisms=

Things Just Work


NetworkManagerI think I invented it, or at least came up with that idea:

http://forums.gentoo.org/

viewtopic-t-163808-highlight-.html
http://find/http://goback/http://forums.gentoo.org/viewtopic-t-163808-highlight-.htmlhttp://forums.gentoo.org/viewtopic-t-163808-highlight-.htmlhttp://forums.gentoo.org/viewtopic-t-163808-highlight-.htmlhttp://forums.gentoo.org/viewtopic-t-163808-highlight-.html


115/168

Looking for program. . . . . .

that is automatically settingthe network interfaces, depending on the devices connected

to. E.g. Id like to configure my eth0 connection to either

DHCP if it finds a certain host via MAC or to a static IP if it

detects another host. Also I need something similair for

WLAN, depending on the found ESSID and/or the strongest

signal.

Also it should work as a daemon, so that it a physical

connection gets lost automatically the route tables and

resolv.conf are adjusted, and vice versa.Is there some program which can do so?

[I in Gentoo forums 2004-04-20]


Sorry about that


116/168

Todays situationEither youre constantly roaming networks, then the network

should provide the configuration and you dont care.

Or your system is statically bound to a certain network, but then a

user must not change anything.GSM/UMTS/LTE? Similary: About every 3G modem can be

configured to act as a network interface. The rest, see above.


Sorry about that


117/168







Sorry about that


118/168







Sorry about that


119/168







Ubuntu Desktop + NetworkManager


120/168

Your network connection will only come up, after you log on. WTF?!

This doesnt just work.


Ubuntu Desktop + NetworkManager


121/168

Your network connection will only come up, after you log on. WTF?!

This doesnt just work.


Removeable Storage Media


122/168

Many methods so far:automounters (until ca. 2002)

fstab adjusters (I still prefer this)

ivman (ca. 2004)

pmounthal-mount

Currently: UDisks


None of these tackles the problem itself

It boils down to:


123/168

A storage medium must be mounted to be accessible (easy)

After its use it must be cleanly synched and unmounted before

disconnecting, otherwise data is lost (hard).

Users dont really understand about the need for synching/unmounting,

they did click the Save button, so whyd not saved yet?I understand my audience, or at least the majority understand the

problem though.

mount -o sync not such a good solution, too.



It boils down to:


124/168






problem though.




It boils down to:

A di b d b ibl ( )


125/168






problem though.




126/168

I dont know of any good solution either.

But just providing nicer looking buttons wont help.

Maybe this problem will silently go away? Everything stored in the net.

. . . has its own wealth of problems. Discussed on this congress.


f


127/168






I d t k f d l ti ith


128/168








129/168








130/168






O API t fi th


131/168

One API to configure themall. . .


GConf

Daemon and library providing unified interface to configurationd t


132/168

Daemon and library providing unified interface to configurationdata.

Hierachical, key structured database

Much like the Windows registry

Open to various storage backends, but so far keys structured by directories values in XML files (may also contain keys)

Single point of failure


GConf

Daemon and library providing unified interface to configuration

data


133/168

data.

Hierachical, key structured database

Much like the Windows registry

Open to various storage backends, but so far keys structured by directories values in XML files (may also contain keys)

Single point of failure


XSettings


134/168

X11 centric configuration system

Colours, Mouse Pointers

Input devices bahaviour

. . .

eh, dont we have Xrm for that?


XSettings


135/168

X11 centric configuration system

Colours, Mouse Pointers

Input devices bahaviour

. . .

eh, dont we have Xrm for that?


What are the claimed problems of Xrm?

All i i i l f h i d


136/168

All settings in one single property of the root window.

No fine grained access to settings

Changes to settings not easily detectible

Large amount of data to process just to retrieve a very smallsubset from it.



137/168

Proposal of XSettings

Settings managed by a XSettings daemon, providing a (invisible)tti i d ( b i l i t f f il )


138/168

Settings managed by a XSettings daemon, providing a (invisible)settings window (remember, single point of failure).

Serial numbers to identify changed settings

Data stored in binary format, with no endianess enforced lolwut?Sounds like fun: Integer overflows Buffer overruns Shellcode injection



Settings managed by a XSettings daemon, providing a (invisible)settings window (remember single point of failure)


139/168

g g y g , p g ( )settings window (remember, single point of failure).







140/168








141/168





Do these people suffer from schizophrenia?

The Xrm database stores all information in a single text

property on the root window. This makes it difficult to

determine what settings have changed; it is necessary to

parse the property and do string comparisons.


142/168


And later on in the very same document:

Why use a single property for all settings?

Using a single property has several advantages. First,retrieving all settings takes only a single round-trip to the

server instead of a round-trip for each settings. Second, it

means that when multiple settings can be changed at once,

only a single notification is received by clients, and clients will

see interrelated properties changed in an atomic fashion.


Do these people suffer from schizophrenia?

The Xrm database stores all information in a single text

property on the root window. This makes it difficult to

determine what settings have changed; it is necessary to



143/168


And later on in the very same document:

Why use a single property for all settings?

Using a single property has several advantages. First,retrieving all settings takes only a single round-trip to the

server instead of a round-trip for each settings. Second, it

means that when multiple settings can be changed at once,

only a single notification is received by clients, and clients will

see interrelated properties changed in an atomic fashion.


Z bi


144/168

Zombies. . . aim for the head.


HAL

Hardware Abstraction LayerA b b k ld b H d A i Lib


145/168

A better backronym would be Hardware Annotation Library.

Huge crapload of unreadable and unmaintainable XML files.

Officially deprecated!

Though still in use by some Distros (aim for the. . .

, well, youknow what to do).


HAL

Hardware Abstraction LayerA b tt b k ld b H d A t ti Lib


146/168







HAL

Hardware Abstraction LayerA b tt b k ld b H d A t ti Lib


147/168







HAL

Hardware Abstraction LayerA better backron m o ld be Hard are Annotation Librar


148/168







HAL

Hardware Abstraction LayerA better backronym would be Hardware Annotation Library


149/168







HAL

Hardware Abstraction LayerA better backronym would be Hardware Annotation Library


150/168







I dont want all this crap


151/168

I don t want all this crap


In a organizations network

central software distribution

t l fi ti


152/168

central configuration

users have no privileges at all

custom terminal access solutions (provide access to localy

mounted media on remotely accessed machine)

I, as an administrator, want the full control over my stuff.


In a organizations network

central software distribution

central config ration


153/168

central configuration

users have no privileges at all

custom terminal access solutions (provide access to localy

mounted media on remotely accessed machine)

I, as an administrator, want the full control over my stuff.


Youll end up creating your own distribution or use

Gentoo


154/168

Customly compiled Desktops

Alternate package sources, patched packages

Also requires maintaining a custom configuration system


See your carefully crafted configurations break

So we were testing Ubuntu 9.04. . .

University maintains a central authentication database for all

students and employees User Database accessed by LDAP/Active Directory


155/168

Kerberos-5 for authentication

A carefully maintained set of Kerberos-5, LDAP nsswitch and PAM

config files is provided

Some of our older maintenance tools require SSH root access bypublic key, and only if from our IP range yes, we know, you dont

do this, but this is like using Duct Tape, it somehow works and

then lasts.

The system passes all automated security tests.






K b 5 f h i i


156/168






then lasts.







K b 5 f th ti ti


157/168






then lasts.



So whats the problem, then?

Well,

ConsoleKit + PolicyKit have a set of own PAM rules installed

Th l l h f K b h l h fi f


158/168

These rules plus those of our Kerberos-5 auth plus the config for

root-SSH were a bit unlucky

root could SSH into those boxes without requiring a password, or a

public key, but only if not from our IP range.Only good thing was: root doesnt get Kerberos tokens in our system,

so no harm outside those test machines.



159/168


Well,


Th l l th f K b 5 th l th fi f


160/168








Well,


These r les pl s those of o r Kerberos 5 a th pl s the config for


161/168







Morale

Yes, it was a configuration error.But to set proper configurations one needs good documentation

(f S Ad i )


162/168

(for Sys Admins).

Distributions dont properly document their inner workings. This

must change.

Those convoluted interdependencies of desktop systems do no

good.


Morale

Yes, it was a configuration error.But to set proper configurations one needs good documentation

(f S Ad i )


163/168

(for Sys Admins).

Distributions dont properly document their inner workings. This

must change.

Those convoluted interdependencies of desktop systems do no

good.


Weve seen only the tip of the iceberg so far. Theres more to consider:

Modern Unix Desktops depend on a number of system level

services

Some of these services aim at replacing core functionality, noteven related to Desktops


164/168

even related to Desktops systemd (replaces SysV init, upstart, the like) RealtimeKit (a whole story of its own).

The more direct dependencies are created down to the systemlevel, the harder it gets to install alternatives there.

Eventually the whole development process may be only about

fixing issues probably by adding complexity instead of removing

and come to a standstill.


Weve seen only the tip of the iceberg so far. Theres more to consider:

Modern Unix Desktops depend on a number of system level

services

Some of these services aim at replacing core functionality, noteven related to Desktops


165/168

even related to Desktops systemd (replaces SysV init, upstart, the like) RealtimeKit (a whole story of its own).

The more direct dependencies are created down to the systemlevel, the harder it gets to install alternatives there.

Eventually the whole development process may be only about

fixing issues probably by adding complexity instead of removing

and come to a standstill.


Conclusion


166/168


Conclusion

The development of contemporary Unix Desktop Environments is

marked by the errection of largely complex structures


167/168

y g y p

Features oftenly given more weight than simplicity and stability

Oftenly problems are not properly identified

Problems are tackled by throwing even more code at them.


Simplicity is the highest form of sophistication.

unattributed

Complexity has nothing to do with intelligence, simplicity

does.


168/168

Larry Bossidy

Those who dont understand Linux are doomed to reinvent it,

poorly.

unattributed


1731 Desktop on the Linux Slides

Documents