[833] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] standard users,grou

daemon@ATHENA.MIT.EDU (Miller, Raul D.)
Fri Jun 21 12:03:49 1996

From: "Miller, Raul D." <RDMiller@legislate.com>
To: linux-security@tarsier.cv.nrao.edu,
        owner-linux-security@tarsier.cv.nrao.edu
Date: Mon, 17 Jun 96 12:45:00 PDT

Lucas:
   Do not read mail from root, don't do user-things as root, and please dear 
   god don't IRC as root. All of those previous mentioned could make you a 
   sitting target for a wily cracker or a caniving prank.  the root account 
   is for doing things that regular users shouldn't be able to, a hidden 
   command to create/destroy things.  Do as you wish, but you only compromise 
   security.

Not necessarily.

(1) If physical security is assured (e.g. a laptop, which you carry with 
you), passwordless root is reasonable.  [You don't want to run any networking 
daemons in this configuration though.]

(2) It's also reasonable to have root running on some vts directly from init. 
(/bin/open -w is a reasonable way of doing this, though it could be more 
space efficient).  In this configuration, it's also reasonable to set the 
password field for root to * (no password).  Again, this assumes that 
physical security is present.

(3) If the machine is only occasional use (e.g. one of many), then it's 
reasonable to use either of the above configurations not as a user, but as 
root.  This is no less secure than Dos, Windows, etc.  It may result in a 
*more secure system* than requiring a username/password combination to use 
the machine.  Here's why:

If a lot of machines are in use, it's not reasonable to expect the user to 
remember unique username/password combinations for all machine.  Thus you 
risk these things being written down on paper, stored in a file, or something 
equally bad.  A variant on this is where the same username password is used 
on all machines -- here, if the combination is revealed in one environment it 
may be used to compromise another environment.

Usernames+passwords only make sense in environments where more than one 
person has access to the machine.

On the other hand, on a single user machine, it is reasonable to put 
some communications programs in a wrapper that drops most privileges 
before receiving anything (for example: chroot, setuid, fork, ...).

-- 
Raul


home help back first fref pref prev next nref lref last post