[845] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] standard users,grou

daemon@ATHENA.MIT.EDU (Benedikt Stockebrand)
Tue Jun 25 10:09:31 1996

Date: Sun, 23 Jun 1996 01:31:09 +0200
From: Benedikt Stockebrand <benedikt@devnull.ruhr.de>
To: RDMiller@legislate.com
CC: linux-security@tarsier.cv.nrao.edu
In-reply-to: <31C5B6A1@smtpgw.legislate.com> (RDMiller@legislate.com)


[ To the moderators: I'm sorry about the excessive quoting.  If you   ]
[ find a way to trim it any further, feel free to do so.  Aside from  ]
[ that we're drifting off linux-specific security stuff, so you might ]
[ as well drop it completely.                 --ben                   ]

Raul D. Miller wrote:

| (1) If physical security is assured (e.g. a laptop, which you carry with 
| you), passwordless root is reasonable.  [You don't want to run any networking 
| daemons in this configuration though.]

No.  If your laptop gets stolen you can't help it (but at least you'll
probably realize).  Leaving it without a root pw will invite anyone to
look around your system and do some nasty things to it while you leave
it unguarded for some minutes.  Or do you take your laptop to the
bathroom?

| (2) It's also reasonable to have root running on some vts directly from init. 
| (/bin/open -w is a reasonable way of doing this, though it could be more 
| space efficient).  In this configuration, it's also reasonable to set the 
| password field for root to * (no password).  Again, this assumes that 
| physical security is present.

I've done that occasionally while setting up or administrating a
running system.  I rather use a separate runlevel (e.g. 4) for it
instead though.  Log in as root once, telinit 4, and you're done.  But
then, if you manage to remember about that you might as well log in as
root once more and do a renice --19 $$.

| (3) If the machine is only occasional use (e.g. one of many), then it's 
| reasonable to use either of the above configurations not as a user, but as 
| root.

Figure out a way to assign systematic variations on the passwords.
Like using a six char string plus the last byte of the machines IP
address in hex.  Not great, but works to a degree.  Yet another
option: Use one machine for administration and do everything on the
other machines through a ssh login.  In that case you theoretically
can even disable root login on the other machines (keep a boot disk
handy, though).

|  This is no less secure than Dos, Windows, etc.

Millions of flies...  no valid argument.

| If a lot of machines are in use, it's not reasonable to expect the user to 
| remember unique username/password combinations for all machine.

For ordinary users, use a distributed /etc/shadow.  Using rdist with
ssh should do the trick if nothing else.

| A variant on this is where the same username password is used 
| on all machines -- here, if the combination is revealed in one environment it 
| may be used to compromise another environment.

Bad for that one user.  But if it happens to the root passwd it's bad
for *all* users.

| Usernames+passwords only make sense in environments where more than one 
| person has access to the machine.

A gun doesn't need a safety catch---if I don't want to shoot, I don't
pull the trigger.

Ever done a rm -rf in the wrong vt?  Happened to me twice, once on an
old (2.1) OS/2 box: Complete reinstall from tape, first with
installation disks, then re-reading all tapes back, a full day wasted
(and with Linux, a non-standard tape device and no customized rescue
boot disk it might take well longer).  Second time, as non-root user
on my home Linux box: tar x /home/benedikt, twenty minutes, no sweat.

| On the other hand, on a single user machine, it is reasonable to put 
| some communications programs in a wrapper that drops most privileges 
| before receiving anything (for example: chroot, setuid, fork, ...).

If it runs communications programs it isn't a " single user machine"
anymore---unless you really make sure you won't get any unwanted users
from outside.  Never underestimate the malevolence of the average Net
Moron[TM].


    Ben

-- 
Benedikt (Ben) Stockebrand                 Runaway ping.de sysadmin  
Dortmund, Germany                    --- Never ever trust old friends ---
My name and email address are not to be added to any list used for the
purpose of advertising.  By sending unsolicited advertisement e-mail
to this address, the sender implicitly agrees to pay a DM 500 fee to
the recipient for proofreading services.

home help back first fref pref prev next nref lref last post