Today, Bob Bell gleaned this insight:
> Hmmm... Sure I'd bet not everyone locks their screens (I do, and
> rather quickly). Even without even granting sudo permissions or
> giving out the root password, Mr. Janitor/Spy would be able to get
> access to more than enough to cause problems. Figure that a desktop
> machine on which I am still a normal user has access to all official
> project source code. By firing up my email client, a spy could
> quickly open source Tru64 :-) . Root or sudo access isn't even
> required for this, so why bring it up.
It's already been said that the engineers need to take some responsibility
for security of their own setups. By not locking your screen, you've
probably (maybe not where you work) broken your company's security policy.
This is and should be a situation where diciplinary action can be taken,
and if someone breaks into the company's vault from your workstation, you
should expect there to be some repercussions.
> Oh, is that why. I suppose this would cause a problem if I am
> explicitly interested in Joe User's widget prototype, which is only
> available when logged in as root or joeuser. First of all, note that
> again I still don't need root if I wait for Joe User to be the one to
> forget to lock his screen. Also, I do have root to my desktop here,
> but I am unable to access another employee's files.
This is a good thing.
I am able to
> become root on my own machine, and then even su to another user (say,
> pll, just for the sake of argument :-) ). However, pll's files
> aren't available, as they are exported to my machine. They are only
> exported to pll's workstation(s) and the production servers. However,
> I am unable to become root or pll on those machines.
But you might be able to rlogin to his machines, if he wasn't careful
about his .rhosts file. This is bad. And not something the sysadmins can
very easily monitor. Again, the engineers must take some responsibility
for security, but we sysadmins need to assume that they didn't (because
too often they don't).
> To summarize, I'm not seeing how giving me root in this setup
> makes it any more likely for me to cause harm, beyond what I could
> already do as a normal user (rogue employee or janitor/spy accessing
> an unlocked screen).
You're obviously not an experienced cracker. I just gave you one
potential avenue of attack. There are others too numerous to mention.
If you really want to learn about them, go read the books I mentioned in
an earlier post.
--
PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
------------------------------------------------------
Derek D. Martin | Unix/Linux Geek
[EMAIL PROTECTED] | [EMAIL PROTECTED]
------------------------------------------------------
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
