-----Original Message-----
From: Christopher Gorski <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Wednesday, June 10, 1998 11:41 PM
Subject: Root through telnet
>I'm going away on vacation, and I want to be able to configure my system
>from away. How do I enable the root account to be accessable through
>telnet? I know I can su, but that doesn't give me access to all the
>commands I need (such as useradd).
If it's not giving you access to commands, it's a path problem, easily
solved.
>Also, if I do this, is it going to pose a serious security problem? My
>system has no sensitive data, it's just a personal PC, but I would like to
>know if it's open to the world or not if I enable remote root access.
Open to the world, for two reasons:
1) Telnet is not an encrypted protocol. Anybody connected to any network
you go through on your way to your system can sniff the contents of your
session, including your password. Blammo, you just gave the root password
away. Note that using su doesn't solve this problem, either; just makes it
take a few more seconds.
2) You've now made it easy to brute-force hack your root account directly,
instead of having to hack a user account first and THEN root. Effectively,
you've cut the time for a brute-force attack in half, assuming they don't
exploit another vulnerability.
If you're planning to access your system from the Internet in any account
that has any privileges at all, you want to use ssh.
Unfortunately, since the Linux tools don't support a wheel group, you can
hack root from any account on the system, instead of being able to restrict
your vulnerability to certain accounts.
I love this one from the "su" man page:
"This program does not support a "wheel group" that
restricts who can su to super-user accounts, because that
can help fascist system administrators hold unwarranted
power over other users."
Totally inappropriate for an operating system that is going to be used in
production environments. This wording should remain only if this version of
su is only going to be used by hobbiests to play with.
The wording, and the problem, should be removed from distributions targetted
at businesses, such as RedHat and Caldera.
If you want to have that wording, let's let it say what it really means:
"This program does not support a "wheel group" that restricts who can su to
super-user accounts, because that can help the owner of a system keep
control of his property away from my 3l33t3 haquer budz, d00d."
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
