[793] in linux-security and linux-alert archive
Re: [linux-security] Admin note (recent traffic surge).
daemon@ATHENA.MIT.EDU (Woody Weaver)
Wed Jun 12 18:59:47 1996
Date: Tue, 11 Jun 96 14:59 PDT
From: Woody Weaver <woody@altair.stmarys-ca.edu>
To: linux-security@tarsier.cv.nrao.edu
In-reply-to: <199606101855.OAA13751@tarsier.cv.nrao.edu> (message from Jeff
Uphoff on Mon, 10 Jun 1996 14:55:05 -0400)
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
2) A thread with highly "religious" and contentious aspects:
uid/gid ownership of system files, configuration of the root
account, etc....
... I think it's fairly safe to say that most everyone already has
a slightly different approach to this, that there is no "One True
Answer," and that this thread is a good (though voluminous!)
"airing out" of these different ideas and opinions.
I have one question about uid 0 accounts. Of course one wants to give
minimum permissions to accounts, and the more uid 0 passwords floating
around the more risks one takes. Generally, the "all the eggs in one
basket and watch that basket very closely" is a good idea. However,
as one author noted, if you permit a novice to su and do work, there
is a possibility that they might do something that prevents normal use
of the system, such as accidentally changing the root password.
My solution, of course, is just to have a separate boot media handy;
given that I'm running linux on a PC, its easy to boot off of floppy
and mount the main file system on a convenient mount point -- physical
security beats software security. But some linux boxes may be in
inconvient locations, or be hardware modified as to be unable to boot
from floppy.
It is reasonable to have two uid 0 accounts? The idea is to minimize
risk but not permit single points of failure. The downside, of
course, is that with both "root" and "tuber" things like ftp or nfs
access to tuber do not have built in protection as it does against
root, so ideally one would have to patch daemons to recognize both
accounts as special (or get the authors to protect against uid 0
accounts rather than a specific username).
Is there another risk I'm missing?
--woody
--
Robert Wooddell Weaver office: 510-631-4416
Department of Mathematical Sciences home: 510-595-9451
St. Mary's College of California fax: 510-376-4027
Moraga, CA 94575