Major security and usability flaw in Linux (root privileges and sudoers, folder access restriction, Ubuntu Linux)

Alright, let me give you the context. I am a business owner with strong technical background, say a programmer, though not an advanced system administrator. I’ve bought a VPS server where I want to host several applications and webpages. One of the apps consists of backend, admin frontend and user frontend, another one is just backend and frontend. So 5 different programmers develop those apps. From time to time, as the development takes its place, those programmers need to install and upgrade some packages, modify system configs and so on, i.e. they need ssh access and some root privileges.

And here is the tricky part. It is obvious that I don’t want them to see and gain access to the folders they are not supposed to see, i.e. the devs of the first app shouldn’t have access to the folders of the second app and vice versa. Moreover the backend dev of the first app shouldn’t have access to the frontend folders of the same app and the same goes for the second app. Also I would like to restrict access for them to certain commands like visudo or reboot, so they wouldn’t be able to lock me out of my own server or reboot it without my consent.

Now, if I give them sudo privileges for them to be able to run administrative tasks needed for their development – then they have access to everything and it becomes practically impossible to restrict access for them to certain folders and commands. On the other hand if I DON’T give them sudo privileges, then it becomes a huge pain for me to every time install packages and give them access to certain files and commands they need to continue development. There are over 1500 commands and the corresponding number of system files in Linux they could potentially need access to, so it’s very VERY unconvenient for me to spend so much time to administer the VPS, especially getting the fact that I’m not a very advanced system administrator and I don’t have much time because I need to run my business.

There are already numerous posts and threads on the Internet where people try to find solutions to somewhat close problems like these: One, Two, Three, Four, Five, Six, Seven, Eight, Nine, and they still have no reasonable solutions to them, only those that involve some supercomplex activities and anyway not giving a needed result.

So from my point of view as a business owner it should be something like this: there is a root user who can do everything. He can create admins and define access rights for them, for example in that very sudoers file. Then it’s his decision whether to give access to an admin to the sudoers file itself and any of the folders and commands of his choice. For example an admin could be able to run any command in the system except “reboot” and “visudo” and he can access all files and folders except /etc/sudoers and say /var/www/private_folder even WITH sudo privileges invoked (meaning he can’t even copy those files, overwrite them, chmod and chown them and so on, i.e. access them with any command).

That would immediately make the whole system administration A LOT more easier and logical, eliminating the need for complex solutions like chroot jails, separate bash environments, splitting servers into virtual machines, using containers and so on. And it’s so simple, a matter of a couple of conditions in the code, if I understand it correctly from a developer’s perspective. Also, I want to be in control of my VPS, not having to trust any other third person believing he/she won’t steal my information and/or destroy my whole system either by making a mistake or intentionally and basically it can be considered as a serious security vulnerability from a certain point of view.

This seems so obvious and logical for me, that I was really discouraged and embarrassed that it’s really isn’t like that in Linux. Maybe 20 years ago when Linux was created it was enough to have only a root and sudoers and the rest of users to accomplish tasks they had at that time, but today everything goes a bit different way already and that archaic approach is not usable anymore.

Of course I realize I can understand something wrong and there is a strong reason why it has to be as it is, then please let me know why is it so and what is a correct and easy way of solving my problem described above without a need to build a behemoth on my VPS or manually administering it all the time by myself. After all it should be user-friendly, right? Now it’s not.

On the other hand if there is no such a solution, then I would really be willing to even pay someone who could implement some kind of a patch or a package that will allow to solve this problem.

GSC Coverage vs Mobile Usability discrepancy in count

I ran Excel VLOOKUP against all of the files GSC Coverage lists, versus all of the files GSC mobile usability says are mobile friendly. About 30% of the pages listed in Coverage are not included in the Mobile Usability list. However, when I run them through GSC’s URL inspection, it says that these missing pages are mobile friendly.

Is this something I should be concerned about? Will this impact what URLs are visible to mobile searches?

Looking for feedback to improve user testing and usability platform

Hi everyone!
I am working on the development of online user testing and usability platform to help web and UX designers, UX researchers and Front end testers. We are looking for feedback from web designers that is why I am posting here. If you tried it out and gave us some opinions you would be very helpful. Please register HERE .
We will also activate full access for 30 days free if you email what mail you used to register at so you can improve your…

Looking for feedback to improve user testing and usability platform

Carousel or sliders in website banners and their usability

Currently, I am working on a university website redesign project. The complication is that they used a lot of image carousels or sliders on their existing website. For example, in the banner, 10 events/programs images are running inside the carousel and some have a hyperlink to a dedicated page.

I am planning to remove the carousel with a hero image and move the other image to events and programs gallery since too many messages will miss the important thing. And the chances of conversation are below 1%. How could I convince the client diplomatically? Because they are crazy to see carousels to show different department images in the home page banner even after I tried to convince them that they are conversion killers.

What are the best methods for conducting usability testing with people who are neither experts nor end-users?

My team and I have developed a prototype of an augmented reality mobile application for teaching primary school students human anatomy.

We are going to do a usability testing and evaluation with the primary school students using FUN toolkit, and we are also going to conduct an expert review using heuristic evaluation and cognitive walkthrough.

Furthermore, we also want the teachers to test the app, and to evaluate the usability in the context of their students’ usage. However, the teachers are neither usability experts nor end-users so what is the most appropriate method for them regarding usability testing, survey design etc?

Introducing inconsistent controls: is it appropriate for the sake of usability?

We’re building a web application based on Material UI. Throughout the app there are select components, which behave like shown in the example below: The default label informs about the functionality of the select and when a value is selected, this label shrinks and moves up, so that it is still shown above the selected value.

standard use case

We use those components mainly for standard “organizational” bulk operations, such as sort, group etc. Therefore, no value is selected by default, the default label is shown and the user should know what the control is there for.

However, we also have a settings page (and forms), where there are already set values, like language. This leaves the select in the state where that informational default label has already shrinked to its smaller size (and would always stay that way, since a language can’t be unselected).

Because of this, I’d like to change the select component here, so that the label isn’t shown at all and instead introduce another easy-to-read label that is placed above, like shown on the picture below.

pre-select use case

I feel like this would be a good approach in terms of usability, making the controls easier to recognize and thus helping the user change their settings. (Imagine a multitude of settings and looking for a specific one to change).

However, it also introduces inconsistencies, since there would be two kinds of select throughout the application.

I’d like to know whether those kinds of incosistencies are acceptable for the sake of better usability. Do the benefits outweigh the possibility of irritating the user? Maybe you could provide any related research or real life examples of similar inconsistencies for the sake of usability. Maybe there’s even a way to quantify those “pains vs gains”?

Any input is greatly appreciated!

Usability testing with multiple devices in the same session with the same user?

We had a pilot test of usability testing. We only planned to do tests on desktop pc because that’s what we think is the main device with the our user group.

After the pilot we had a feedback conversation with our teacher. One of the suggestions he made was that we should add some tasks that are done with the mobile device.

I disagreed immediately but couldn’t come up with any good explanation why this is a bad thing. My opinion was not taken seriously because teacher is ‘the pro’. Now I would like to know if this really is a standard testing method to have multiple devices in the same testing?

For me it slunds like finding issues here and there and not focusing anything. So you most likely find more issues but wouldn’t it be more important to find the ‘famous 80 % of the problems’ with one device? In my opinion the experience with the first device affects to the use of second device because the system being tested is only a part of a website.

In our case we cannot have more participants.

The usability drawback of using biometrics for device authentication but not for device decryption after reboot?

What if your device gets locked down for a long while because you cannot remember the password? Well, that used to be a rare case.. because people used to use their device’s passwords to access them frequently and the chances this would happen depends on how long they don’t use that device. (Cause part of the capability of remembering things could depend on how frequent you use that thing, retrieve it, or think of it.. but what happens when you don’t retrieve that information for a while? )

Many devices are now switching to biometrics authentication (both mobiles and laptops), and this authentication is only used to unlock the screen, not for decrypting the disk after rebooting for many valid reasons.

However, I was concerned with the fact that using the password less frequently (because people reboot their systems less frequently) and relying on biometric authentication for being easy & fast, can increase the chances of the user forgetting his password, which makes it a big difficult challenge when the system forces a reboot for an update, or suddenly shutdown for battery shortage (which usually occurs in the middle of your work 🙂 ), and you end up wasting so much valuable time trying to remember the password, and if you’re lucky, you will figure out what password you used. If not… am not sure what’s gonna happen, you’ll have to take a very long route to recover it, cause it ain’t as simple as “Forgot password? Send reset email”

What I am saying is, is it true that relying on biometrics increases the likelihood of forgetting an essential-hard-to-recover password?

If yes, how can we minimize that? Is it by supporting better techniques to recover password ?

Or is the actual problem resides in remembering passwords? And users must be aware of the fact that they should use a password that they are almost sure they would never forget?

How to get a practical course on conducting usability testing?

Kindly I need practical training on conducting a usability test, I’m already having a certificate on usability testing from Interaction Design Foundation, but I need to apply it in a real case.

Does UX Stack Exchange community know this kind of training, courses or personal coaching to help me in making qualitative & quantitive reports, making users scenarios, analyzing findings… etc, so I can have it in a practical way?

How to get sorted Gnome usability issues in Desktop?

I’ve instaled Ubuntu 19.04 from scratch after an issue with my old ubuntu installation.

I’ve found that now it uses Gnome instead of Unity. I like gnome, but I have a couple od important usability issues that I assume are easily configurable, and I just don’t know how to.

  1. The full name of each file used to appear in Desktop icons, and if it were too long, when I clicked on the icon the full name would appear, even in long names.

Not now, as you can see:

enter image description here

  1. Besides that, as you can see in the image attached, if I click on an image, the preview won’t appear either.

  2. When doing anything in dektop before, like deleting a icon or moving it, I could easily press CTRL + Z and it would undo the action. How may I do that now?

I tried to search for these issues instead of asking, but I’ve not found anything that actually got them sorted.

Please note that I’ve installed Gnome Tweaks.