I wonder how often it happens that people connects remotely to a Linux PC with a camera. When I do it is because I ssh to another laptop of mine, maybe to shut it down after I lost the desktop (maybe the graphic card crashed). OK, we should support as many use cases as possible but it could be acceptable to tell people that if they want to setup a multiseat machine shared with strangers (students at school? They can get very creative) they disable mics, cameras and don't plugin dvds and usb drives. Servers usually don't have any of them. Finally, if you give somebody a sudo you accept that s/he can shutdown the system remotely, normal case for a server.
I also wonder how other OSes handle that, I'm looking at Windows and OSX. With VNC/RDP/Teamviewer/etc you get full access to the Windows desktop and all devices. I guess OSX has the same, plus sshd.
So, maybe supporting a fringe use case is making more common use cases more inconvenient?
On Windows there is the Group Policy. If your machine is domain joined, the group policy is controlled by the domain. A non-domain joined machine also has a policy, which can be edited using the "Local Group Policy Editor".
The policy contains items such as "Devices: Allow undock without having to log on" or "Deny access to this computer from the network" (user/group list).
A policy consists of a number of such settings. For instance you can set who can shut down the system, and who can do it from remote.
With Windows 8 came <a href="http://www.windowsecurity.com/blogs/shinder/microsoft-securi... access control</a> where access control lists (ACLs) now can include tests for type of device being used, network location etc. This can be used to disallow access to certain documents or applications from phones/tablets while allowing access for the same user as long as he/she uses a stationary device within the corporate network. Dynamic access control also takes most of the pain out of complex access control as it can decide access not just upon your security group membership, but also on other claims such as limits, department, organizational unit, local certificates etc.
> Finally, if you give somebody a sudo you accept that s/he can shutdown the system remotely, normal case for a server.
Sudo configs are configurable (as are default command aliases) to at least make this a deliberate decision, and not an accidental occurrence. You could also, in rare cases, just "whitelist" certain commands, although this is generally not that practical.
Sudo, is however, by definition, a dangerous tool. I try to make sure that everyone who has the right is aware of the responsibilities.
Windows and Mac both have their own privilege escalation, and shutdown commands, so there's nothing particularly different about their situations.
I wouldn't worry much about people whom I granted access to my computer, (though it could be worrisome if someone else got their hands on their credentials), I would worry about people who got access fraudulently. But that requires tighter security policies.
Regarding Windows, it's all explained on MS website (just a Google search away), and it seems quite potent, but a default consumer OS doesn't push for stringent requirements for each and every application being installed. It's up to the user to setup the adhoc policy, and hook up VNC to it, I guess. The good thing with application markets and distro supported package repositories is that in theory all this could be included in the package and verified for conformance by the repository maintainers.
I also wonder how other OSes handle that, I'm looking at Windows and OSX. With VNC/RDP/Teamviewer/etc you get full access to the Windows desktop and all devices. I guess OSX has the same, plus sshd.
So, maybe supporting a fringe use case is making more common use cases more inconvenient?