begin quoting Lan Barnes as of Tue, Apr 19, 2005 at 04:13:56PM -0700: [snip] > My understanding is that the real danger is that root can make a mistake > and hose the box. That's a different matter.
Yup. And, actually, in practical terms, it's probably a very good reason to avoid doing anything as root. Not because you're less likely to trash your important data, but that you're less likely to accidently corrupt /etc/passwd and have to dig out that rescue disk. Not really a security issue, but a good thing to avoid doing twice. > > And nobody has even pointed out that if I can compromise your user account > > on your single-user machine, I can also (eventually) gain root. > > Without physical access to the console? How? Install a shell ($HOME/.^H, say) , and modify the shell-startup scripts to invoke my modified shell instead of your default shell. Provide versions of ps, ls, top, etc. so that it's hard to tell that you're running something extra. Log all keystrokes. I can acquire all of your ssh passphrases, remote account passwords, and if you're so careless so as to su to root... well, there we go. (This is where SELinux can help -- disallow su to root, and require you to log in from the console. Getting the root password doesn't help non-root processes because you still need physical access. Of course, it's now more annoying to log in as root, because you have to log out or go to a different virtual console. The loss of logging who became root isn't necessary because we're talking about a single-user machine. I'm not sure this isn't the sort of tradeoff that would drive users to complain or not.) -Stewart "Awfully fond of sudo and su -" Stremler
pgpsg9wcodjqv.pgp
Description: PGP signature
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
