On 4/20/05, Stewart Stremler <[EMAIL PROTECTED]> wrote: > begin quoting Rachel Garrett as of Wed, Apr 20, 2005 at 11:50:27AM -0700:
> > I am confused. If these single-user systems get attacked and > > compromised while they're running as root, the attacker can do a lot > > more to the system > ^^^^^^ > That's a key word. > > The user _doesn't_ care about the *system*. That's easy to replace. If they know it needs replacing, sure. > The user _does_ care about their *data*. That's not easy to replace. > > If the attacker trashes the user's data, it doesn't matter what > happens to the system. It matters to the attacker, who would probably love to keep the system looking "intact" to the user. > If the attacker trashes the system *and* the user's data, it's no > worse than trashing just the data. Well, now we're assuming an even more specialized case, in which this attacker is simply going to wreak havoc and make it obvious that he's done so. I don't think most attacks fall into this category. > (The counter response seems to be 'well, the user does not have any > useful data anyway', but that's insulting to the user and arrogant > on our part. Look, Toto--it's a man! A man made out of *straw*! > > than if the person was running as something other > > than root. E.g., the attacker can hide the fact that the system has > > been compromised, which is much more difficult to do without root > > access. > > When you check for a compromised system, you _ought_ to do so by booting > from clean media; if you trust anything on the potentially compromised > disk, you're fooling yourself. Failure to find evidence using > potentially compromised tools is not proof; neither is it all that > compelling as an indication. I thought we were talking about the sort of people who most likely aren't even going to be running checks on their system. If all that's been compromised is a user account, then the attacker can't go in and change stuff that the user would notice. You don't have to be THAT bright to say, "Hey, this says I last logged in yesterday. I didn't even get on the computer yesterday. What's up with that?" > Plus, if you compromise the only user-account on the system, you can > also hide the evidence from _that_ user -- But it's harder to do. > > This has been pointed out here more than once. Why is this > > *not* a refutation of the idea that there's no security problem > > running as root in a single-user system? > > Because *any* compromise of a single-user system is effectively a full > compromise, so far as the user in question is concerned. Assuming they know about it? --Rachel -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
