begin quoting Todd Walton as of Mon, Apr 18, 2005 at 10:59:04PM -0700: > "I defy anybody to tell me why is it more secure to not run as root. > Nobody really has a good answer. They say "oh, yeah, it is!", but it > really isn't." > > That's what he said. He said that running without root privileges is > not more secure than running with them.
/. picked up this article, and despite a lot of heat and noise, nobody _has_ provided a good answer (as of when I read the comments), at least for a single-user (i.e. home) box. And nobody has even pointed out that if I can compromise your user account on your single-user machine, I can also (eventually) gain root. My personal opinion is that not-logging-in-as-root is just a _first_ step, useless without all the rest. I should NEVER /have/ to become root except in dire circumstances that also warrant booting into single-user mode. So long as you structure a system where there are times when you NEED to gain superuser access for routine tasks, you have a potential security problem. "We're better than MSWindows" is damn faint praise. [snip] > I agree with Tracy on this one. Heh. Tracy and I have a long running disagreement about what constitutes security on a Linux box. :) -Stewart "Do you mount /home noexec? Is /usr ro? Why not?" Stremler
pgpAjfGvP9eGF.pgp
Description: PGP signature
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
