begin quoting Rachel Garrett as of Wed, Apr 20, 2005 at 11:50:27AM -0700:
> On 4/20/05, Stewart Stremler <[EMAIL PROTECTED]> wrote:
> > It's that the target market for Linspire
> > (aka Lindows) are those of unwashed masses who are going to use the machine
> > in a single-user frame of mind. And whats-his-face's assertion that there
> > is no security problem in that case is distressingly hard to refute.
>
> I am confused. If these single-user systems get attacked and
> compromised while they're running as root, the attacker can do a lot
> more to the system
^^^^^^
That's a key word.The user _doesn't_ care about the *system*. That's easy to replace. The user _does_ care about their *data*. That's not easy to replace. If the attacker trashes the user's data, it doesn't matter what happens to the system. If the attacker trashes the system *and* the user's data, it's no worse than trashing just the data. (The counter response seems to be 'well, the user does not have any useful data anyway', but that's insulting to the user and arrogant on our part. Tell a prospective Linux user that thier data isn't important as the system, and they'll go to Microsoft instead, who will at least lie in a pleasant voice to the user. And rightly so.) > than if the person was running as something other > than root. E.g., the attacker can hide the fact that the system has > been compromised, which is much more difficult to do without root > access. When you check for a compromised system, you _ought_ to do so by booting from clean media; if you trust anything on the potentially compromised disk, you're fooling yourself. Failure to find evidence using potentially compromised tools is not proof; neither is it all that compelling as an indication. Not logging in as root doesn't change that. You can't trust that the intruder didn't find a local exploit you don't know about. Plus, if you compromise the only user-account on the system, you can also hide the evidence from _that_ user -- so you're right back in the situation where running as root isn't any different than not. > This has been pointed out here more than once. Why is this > *not* a refutation of the idea that there's no security problem > running as root in a single-user system? Because *any* compromise of a single-user system is effectively a full compromise, so far as the user in question is concerned. "Any difference that doesn't make any difference isn't any different." -Stewart "Things change drastically once we abandon single users" Stremler
pgpAQbTYVIjXU.pgp
Description: PGP signature
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
