[833] in linux-security and linux-alert archive
Re: [linux-security] standard users,grou
daemon@ATHENA.MIT.EDU (Miller, Raul D.)
Fri Jun 21 12:03:49 1996
From: "Miller, Raul D." <RDMiller@legislate.com>
To: linux-security@tarsier.cv.nrao.edu,
owner-linux-security@tarsier.cv.nrao.edu
Date: Mon, 17 Jun 96 12:45:00 PDT
Lucas:
Do not read mail from root, don't do user-things as root, and please dear
god don't IRC as root. All of those previous mentioned could make you a
sitting target for a wily cracker or a caniving prank. the root account
is for doing things that regular users shouldn't be able to, a hidden
command to create/destroy things. Do as you wish, but you only compromise
security.
Not necessarily.
(1) If physical security is assured (e.g. a laptop, which you carry with
you), passwordless root is reasonable. [You don't want to run any networking
daemons in this configuration though.]
(2) It's also reasonable to have root running on some vts directly from init.
(/bin/open -w is a reasonable way of doing this, though it could be more
space efficient). In this configuration, it's also reasonable to set the
password field for root to * (no password). Again, this assumes that
physical security is present.
(3) If the machine is only occasional use (e.g. one of many), then it's
reasonable to use either of the above configurations not as a user, but as
root. This is no less secure than Dos, Windows, etc. It may result in a
*more secure system* than requiring a username/password combination to use
the machine. Here's why:
If a lot of machines are in use, it's not reasonable to expect the user to
remember unique username/password combinations for all machine. Thus you
risk these things being written down on paper, stored in a file, or something
equally bad. A variant on this is where the same username password is used
on all machines -- here, if the combination is revealed in one environment it
may be used to compromise another environment.
Usernames+passwords only make sense in environments where more than one
person has access to the machine.
On the other hand, on a single user machine, it is reasonable to put
some communications programs in a wrapper that drops most privileges
before receiving anything (for example: chroot, setuid, fork, ...).
--
Raul