-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stewart Stremler wrote: > /. picked up this article, and despite a lot of heat and noise, nobody > _has_ provided a good answer (as of when I read the comments), at least > for a single-user (i.e. home) box.
> And nobody has even pointed out that if I can compromise your user account > on your single-user machine, I can also (eventually) gain root. Sure you can. But we want security in depth, right? Several layers since no one layer is ever likely to be perfect. > My personal opinion is that not-logging-in-as-root is just a _first_ > step, useless without all the rest. I should NEVER /have/ to become root > except in dire circumstances that also warrant booting into single-user mode. > So long as you structure a system where there are times when you NEED to > gain superuser access for routine tasks, you have a potential security > problem. "We're better than MSWindows" is damn faint praise. Precisely! It is just a first step. We agree completely here. And better than Windows is indeed faint praise. But when you are being compared with Windows it does have to be said. > Heh. Tracy and I have a long running disagreement about what constitutes > security on a Linux box. :) Hmm... I'm not so sure about that. I bet we agree on the most important aspects of what constitutes security on a Linux box. > -Stewart "Do you mount /home noexec? Is /usr ro? Why not?" Stremler /home as noexec? Wouldn't that prevent you from installing any executables at all into your own ~/bin dir? Not sure what that would really buy me. Making /usr ro is a good idea I had never really considered before though. I never write anything into /usr and always put stuff into /usr/local. Although on occasion a system patch/update from yum might try to change something in /usr but that is rare enough that I can remount rw for that. - -- Tracy R Reed http://[EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCZNGQ9PIYKZYVAq0RAl5vAJ9HnQSYjGjUZyk5DodmPdlulcenPgCfUoky 5dDSOs0EJbDXJK2gntHjV0w= =vGJ7 -----END PGP SIGNATURE----- -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
