In message <[EMAIL PROTECTED]>, Nick Holland writes:
> Igor Sobrado wrote:
> > Hi again.
> >
> > Out of this thread, Mr. Tongson pointed me to an interesting post
> > from march 2005:
> >
> > http://archives.neohapsis.com/archives/openbsd/2005-03/2808.html
>
> i.e., DROP IT. IT WILL NOT CHANGE. The guy in charge has spoken.
How curious... is it not what I said in my last messages?
Please, read carefully these messages.
> or skip the root PW, and just get the wheel user.
> That's no layer, that's a coat of stain. Pretty color, but offers no
> protection.
Indeed, it is another way to think in this problem.
> > 2. There are a lot of brute force attacks from countries like
> > Korea these days. These attacks will be less effective if
> > the intruders get access to an unprivileged account (even if
> > it is in the wheel group).
>
> how's that? If the user is running sudo to allow people in the wheel
> group full access (common config), when they are in wheel, they are
> seven keystrokes away from root ("sudo -s")
Agreed, but when it is well configured sudo only allows users to
run certain commands that were assigned. It is designed to provide
a more fine grained access to administration privileges avoiding
the nothing or all privilege scalation provided by the root
accounts. If a user can do "sudo -s" or "sudo /bin/sh" to get
a full root access there is something wrong in the way sudo is
being used. Ok, the real root password is hidden for these users
(that can be safely removed from the wheel group) but it is too
dangerous and no the way sudo works when it is well configured.
> > 3. An Unix and Unix-like system has a root account. The names
> > of other accounts are difficult to guess (my account at
> > string1 is guessable right now, but I can be using a mail
> > alias or receiving email on a system that has no real user
> > accounts). Trying brute force attacks against the root
> > account is probably the best guess for an intruder.
>
> yawn.
> If your system is subject to brute-force attacks, it is subject to
> brute-force attacks.
Indeed, but guessing a username AND its password greatly increases
the space where the secret is defined. At least a previous research
is required. And getting that unprivileged access, even if it
extend the vulnerabilities to the local exploits, is better that
being root.
[...]
Excuse me sir, but I will not continue answering to your email.
I certainly do not accept the aggressive attitude you show on the
rest of the message and prefer stop here. If you have something
useful to say I will be glad to read your emails in the future,
but in this case I prefer stop reading your post and, of course,
not replying to it. Participate on flamewars is usually not my
style and I have certainly more productive ways to waste my time
and patience.
Igor.
