begin quoting John H. Robinson, IV as of Thu, Sep 07, 2006 at 09:22:13AM -0700: > Tracy R Reed wrote: [snip] > > I agree with this 100%. We do need to get rid of the root user. > > What wll that be replaced by? There are some things that a mere user > cannot do. They cannot send raw packets. They cannot bind to port <1025.
Well, there's no longer anything special about ports < 1025. Port-based authentication/authorization is dead, dead, dead, with a stake in its heart, buried at the crossroads between four garlic fields, etc. etc. > They cannot add users. They cannot write to the / directory. > > Do you want to grant every user that, or so finely grain control the > system that each of these administrative tasks each require a separate > authetication (read: a password for each task). Something with a little finer granularity would be nice; the problem with root is that it's all-or-nothing. If you want a program to send raw packets, then it gets to write to /; if you want someone to add users, then they get to modify the firewall rules. The other extreme -- where *every* action takes a distinct role and authentication chain for authorization... is just as painful. > > RedHat shouldn't even configure a root password. It should instead > > configure a regular user password and give that user sudo. > > Guess what. Sudo uses the root user, for the most part. Sudo s a SUID > root application. How is that going to work, when there is no root user? I don't think we'll be able to rip out the idea of a superuser from UNIXish systems. But if there's no login, then there's no user who logs in as root ... that's one interpretation of "no root user". [snip] > > SE Linux is the technology we need to embrace if we really want to > > avoid becoming a serious target for viruses and trojans like MS > > Windows. > > This sounds like snake oil to prevent the sky from falling. I don't buy > it. I don't think the average user can set up SELinux so as to prevent a trojan from Doing Evil Things. I think that either a trojan can bypass the security, or that they'll render the system unusable. I think that a trained administrator can set up SELinux to lock down a production server, and I'm sure it would do a wonderful job. Back in the day when I worked in PRIME systems, they had a powerful, flexible, system-wide protection system using ACLs. The guy I worked for was smart, but hadn't taken the time to figure out the security system... and there was work to be done. So he disabled it. Everything had complete access to everything else. If you could log in to the system, there wasn't anything you couldn't read or write. He couldn't afford the downtime it would have taken him to figure it out and do it right. I, on the other hand, was a tape-monkey; I had lots of time to read the manual... so we got it locked down, but it took a few "whoopses" to flush out all the hidden dependencies. A security system does you no good if you can't set it up properly. [snip] > And what about single user mode? Who logs in, when there is no root? Oh, just reinstall from scratch... ;-) > NB: I did not read the article. I have no idea what it says. I did > search through it enough to see that it does not say to *remove* the > root user, merely to make it powerless for login purposes. I suspect they mean "root account" where you mean "root user", and what they use "root user" for you might say is a "root login". -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
