Ubuntu in the Corporate
I’ve been using Ubuntu 11.04 in the corporate environment for over a year now and this post will attempt to summarise the frankly disappointing state of affairs that is “linux in the corporate environment”.
Such a little thing – getting a thumbnail for your images, videos or office documents. In Windows, once a directory has been thumbnailed, it creates a hidden file “thumbs.db” in that directory, so that when other people visit the directory, there’s no need to recreate every thumbnail from scratch.
In Ubuntu, however, there is. Every user stores their own version of thumbnails . At work, my .thumbnails directory is a little shy of 40Mb. If you multiply that by 1000 employees, you’ve just wasted 39.96Gb of data creating the same set of thumbnails 1000 times. Bandwidth, Disk I/O, wasted. Worse, if you make your staff’s home directories a network share, you’re now wasting 40Gb of storage across your home share.
It’s a poor model and needs fixed.
Encrypted Home Directories with Likewise
Wanted an encrypted home directory? Easy – tick the box when you install and you’ve got one. But wait. Logging with AD credentials after installing Likewise? Nope. Likewise creates a non-encrypted domain directory in your /home and every user that logs in thereafter gets an unencrypted home.
The use case is simply theft. If a PC is stolen, then anything unencrypted on that device is going to be revealed trivially through the use of a USB boot key. User documents, settings or, worse, Dropbox installs are going to be readable. So I’d like to encrypt the home directories to prevent it. It won’t be as effective as a full-disk LUKS install, but it integrates with login so that only one password is required, so a slicker option in my opinion.
If anyone knows a way around this behavior, please holler.
In Windows, every password you enter on the system is shown on screen by substituting asterisks. On Ubuntu, the same is true, but many of these entries have a tick box that says “Show password”. What the hell? Why? Why on earth, having entered my password would I EVER want it shown on screen??
Basically what this means is that even a 2 minute slip up where you forget to lock your screen while you grab a packet of crisps or a coffee – you’ve possibly just let a colleague see what your password is. I raised with the Seahorse devs, but they argued that if you leave your laptop/PC unlocked for two minutes then it’s compromised irretrievably and refused to acknowledge that the “show password” option was making things worse.
What can you do, maliciously, in two minutes with a Windows laptop? Plenty, but I think it would be mostly obvious. I reckon it would be quite challenging to seriously compromise a user without his knowledge on a Windows computer. On Ubuntu – 20 seconds to reveal my WIFI password, which also happens to be my AD password, since we use PEAP authentication.
“Linux is more secure.” Really? Depends, doesn’t it?
I should clarify my use case here. We have contractors coming onsite all the time to help with new product install, support cases, or training. Due to the nature of my job, a lot of what we access is protected by either firewall or ACL, so that only specific devices can access the service that contractor is onsite for.
I trust these guys not be installing root kits or maliciously hacking my laptop while I grab us both a coffee, but in the case of Ubuntu, I literally can’t use it because while I do trust them generally, it’s just too easy for them to stumble upon a password box with a glaringly tempting “show password” button next to it.
The weird thing when I raise the “show password” issue is that no-one can give me a use-case for its existence. Or if you count “I forgot my password” as a use case, then they can’t explain the huge inconsistencies in Ubuntu – I can “show” my keychain password and my WIFI password but for some strange reason, I can’t show the password for my actual install, or my encryption password. Why? If physical access = “toast”, then why do I have to enter my previous password to change it to a new one? Why am I prompted for my password on login? Why am I prompted for my password on resume?
Rhetorical questions obviously, but despite everyone seeing that passwords for logging in, decrypting and resuming are necessary, they lose all logic about a simple “show password” box. IT IS NOT NECESSARY.
I just don’t understand it. It’s like a blindness.
Very frustrating. The command line uses one environment variable, while GUI programs use another. The proxy configuration dialogue has an option to “Apply System-Wide”, but doesn’t appear to do anything. Bypass options don’t always work, or require a reboot to activate. Some downloads (flash-plugin for example) will use wget in the middle of the apt-get install, which fails, because apt-get doesn’t pass in the proxy option.
Worse, why isn’t there an option to set the proxy by network? If I’m on our internet-only WIFI, I don’t want a proxy, but if I’m on our internal-WIFI, I do. Why can’t it set/unset the proxy depending on what I connect to?
In Windows, you map a drive, then there’s an option to “Reconnect at next login”. Not in Ubuntu. Or any linux distro I’ve tried in fact. No, you have to edit your /etc/fstab for this functionality. It’s 2012 and you have to edit text files to make samba shares persistent.
Finally, a non-O/S specific issue. In fact, it’s a bit unfair to include this, because it’s not really Ubuntu’s fault… but it’s a big one for me, so : Evernote, which I use every hour of every day, doesn’t have an Ubuntu version. Some utter genius has coded the awesome “NixNote” in java and so I use that. But pretty frustrating that such a crucial tool (for me) doesn’t have a native client. And launching java to run NixNote is a drain – it takes about 30 seconds to start up and synchronisation isn’t quite as slick as the native version.
It’s not all bad. Nautilus remains much better to use than Explorer, LibreOffice is getting better all the time, workspace shifting is a joy, start up is very quick and Xenapp covers the few programs I use that don’t have an Ubuntu version – Vsphere, I’m looking at you.
What else? Network Manager makes setting up multiple networks a joy (overlooking, for the moment, the proxy issues above), external monitor support works well, and of course terminal access with built-in python is superb.
But there’s so much wrong with Ubuntu in the corporate that it takes real determination to make it work, and many of the issues just shouldn’t exist in this day and age. Maybe 12.04, the Precise Pangolin will deliver a better experience, but nothing I’ve seen so far suggests that this will be the case. In fact, in many areas, I think there will be regressions due to the move to Gnome 3 – such as external monitor support.
Time will tell, but I’m not holding my breath for the perfect corporate system.