On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha Jäykkä wrote:
Make multiple root-accounts. We for example have normal users
accounts and 3-5 root-accounts depending on machine. Just give
UID/GID to new user.
I have a bit of a situation: I have a handful of linux machines
(almost all with
On Fri, Jul 06, 2001 at 12:25:20PM +0300, Saku Ytti wrote:
On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha Jäykkä wrote:
Make multiple root-accounts. We for example have normal users
accounts and 3-5 root-accounts depending on machine. Just give
UID/GID to new user.
Insert 0 where
On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha J?ykk? wrote:
I have a bit of a situation: I have a handful of linux machines
(almost all with different distributions and kernels and software -
..
time (we all know keeping up security is a fulltime job). Obviously to
install patches etc I,
On Fri, Jul 06, 2001 at 11:35:16AM +0200, Mark Janssen wrote:
(Put the public key in the .authorized_keys file for the root user)
TUrn on RSA/DSA authentication and 'allow root login'
One word of warning aboce would allow logging in using root password as well
which might not be the best
On Fri, Jul 06, 2001 at 01:19:24PM +0300, Juha Jykk wrote:
I distrust allowing root logins from anywhere but local console(s)
or non-modem gettys i.e. from anywhere over the not-owned-by-me cable.
umm do You want to run in circles from one machine to another? ;o))
if not than You need to
Am Freitag, 6. Juli 2001 12:19 schrieb Juha Jäykkä:
(Put the public key in the .authorized_keys file for the root user)
TUrn on RSA/DSA authentication and 'allow root login'
One word of warning aboce would allow logging in using root password as
well
I distrust allowing root
Just a friendly Jedi Knight wrote:
On Fri, Jul 06, 2001 at 01:19:24PM +0300, Juha Jykk wrote:
I distrust allowing root logins from anywhere but local console(s)
or non-modem gettys i.e. from anywhere over the not-owned-by-me cable.
umm do You want to run in circles from one machine to
At 994443564s since epoch (07/06/01 06:19:24 -0400 UTC), Juha J?ykk? wrote:
I distrust allowing root logins from anywhere but local console(s)
or non-modem gettys i.e. from anywhere over the not-owned-by-me cable.
Any other ideas? Or is it really safe to allow root logins to sshd?
It is
On 06-Jul-01, 05:34 (CDT), Patrice Neff [EMAIL PROTECTED] wrote:
What you want to accomplish might be possible with sudo. Install sudo
and thenn add the following line to the configuration
file. (/etc/sudoers on my machine)
yourusername ALL=(ALL) ALL
this will allow you to execute
I got the following from snort :
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jul 6 07:48:19 canopus snort[3884]: spp_http_decode: IIS Unicode
attack detected: 128.95.75.153:1647 - 208.52.11.121:80
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jul 6 05:36:39 canopus
Hello, I am a new debian user and someone still learning linux. I have a
small problem. In my company ( which is a microsoft developer ) I insisted on using a
firewall created with Ipchains of 3
zones ( dmz - local - internet ) on a Intel Pentium Pro processor machine
running Debian 2.2r3
Juha Jäykkä [EMAIL PROTECTED] writes:
Any other ideas? Or is it really safe to allow root logins to sshd?
It is just an old rule of thumb that root must never log on over the
wire but that may be old news from times of telnet - never had any
need of root logins over the wire until perhaps
On Fri, Jul 06, 2001 at 03:24:56PM -0800, Ethan Benson wrote:
On Fri, Jul 06, 2001 at 09:43:55AM -0500, Nathan E Norman wrote:
OTOH if you restrict the user to a list of commands in /etc/sudoers,
it's wise to consider whether the user might be able to leverage one of
those commands to
On Sat, Jul 07, 2001 at 02:10:09AM +0100, Eric E Moore wrote:
[cut]
I would be very shocked if you could compromise a system with a
sudoers entry of:
me hostname = (root) /bin/cat
Depends on what's on the system. I've thought of four similar ways.
1:
With Kerberos, you can steal someone's
I have a bit of a situation: I have a handful of linux machines
(almost all with different distributions and kernels and software -
one hell to keep secure) and all the machines have different roots.
These guys want to keep their root passwords (or at least the root
privileges) so they can
On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha Jäykkä wrote:
Make multiple root-accounts. We for example have normal users
accounts and 3-5 root-accounts depending on machine. Just give
UID/GID to new user.
I have a bit of a situation: I have a handful of linux machines
(almost all with
On Fri, Jul 06, 2001 at 12:25:20PM +0300, Saku Ytti wrote:
On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha Jäykkä wrote:
Make multiple root-accounts. We for example have normal users
accounts and 3-5 root-accounts depending on machine. Just give
UID/GID to new user.
Insert 0 where
On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha J?ykk? wrote:
I have a bit of a situation: I have a handful of linux machines
(almost all with different distributions and kernels and software -
..
time (we all know keeping up security is a fulltime job). Obviously to
install patches etc I,
On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha Jäykkä wrote:
I have a bit of a situation: I have a handful of linux machines
(almost all with different distributions and kernels and software -
one hell to keep secure) and all the machines have different roots.
These guys want to keep
On Fri, Jul 06, 2001 at 11:35:16AM +0200, Mark Janssen wrote:
(Put the public key in the .authorized_keys file for the root user)
TUrn on RSA/DSA authentication and 'allow root login'
One word of warning aboce would allow logging in using root password as well
which might not be the best
(Put the public key in the .authorized_keys file for the root user)
TUrn on RSA/DSA authentication and 'allow root login'
One word of warning aboce would allow logging in using root password as well
I distrust allowing root logins from anywhere but local console(s)
or non-modem gettys
On Fri, Jul 06, 2001 at 01:19:24PM +0300, Juha Jäykkä wrote:
I distrust allowing root logins from anywhere but local console(s)
or non-modem gettys i.e. from anywhere over the not-owned-by-me cable.
umm do You want to run in circles from one machine to another? ;o))
if not than You need to
Am Freitag, 6. Juli 2001 12:19 schrieb Juha Jäykkä:
(Put the public key in the .authorized_keys file for the root user)
TUrn on RSA/DSA authentication and 'allow root login'
One word of warning aboce would allow logging in using root password as
well
I distrust allowing root
Juha Jäykkä [EMAIL PROTECTED] writes:
How can that _safely_ be accomplished? There are versions of su,
sudo etc) that do not ask passwords, there are suid binaries but
which is _THE_ way of accomplishing this?
I've never been in a situation like yours. But I can tell how I do it
at home. I
At 994443564s since epoch (07/06/01 06:19:24 -0400 UTC), Juha J?ykk? wrote:
I distrust allowing root logins from anywhere but local console(s)
or non-modem gettys i.e. from anywhere over the not-owned-by-me cable.
Any other ideas? Or is it really safe to allow root logins to sshd?
It is
On Fri, Jul 06, 2001 at 09:18:18AM -0400, Jason Healy wrote:
types of
passwords accepted to run root commands, etc).
elaborate.
the main reason i don't use sudo except for small things which cannot
grant a root shell in any way is for the simple reason the sudo
converts a normal unprivleged
admittedly, i am not very familiar with sudo because i have never seen the
practical advantages of making su'ing more of a hassle by having to manage
another set of conf files and keeping track of who's a sudoer and,
therefore, have chosen not to use it.
what's to stop a person, once they've
On Fri, Jul 06, 2001 at 09:29:54AM -0700, Robert L. Yelvington wrote:
admittedly, i am not very familiar with sudo because i have never seen the
practical advantages of making su'ing more of a hassle by having to manage
another set of conf files and keeping track of who's a sudoer and,
I got the following from snort :
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jul 6 07:48:19 canopus snort[3884]: spp_http_decode: IIS Unicode
attack detected: 128.95.75.153:1647 - 208.52.11.121:80
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jul 6 05:36:39 canopus
Hello, I am a new debian user and someone still learning linux. I have a
small problem. In my company ( which is a microsoft developer ) I insisted on
using a firewall created with Ipchains of 3
zones ( dmz - local - internet ) on a Intel Pentium Pro processor machine
running Debian 2.2r3 on
Juha Jäykkä [EMAIL PROTECTED] writes:
Any other ideas? Or is it really safe to allow root logins to sshd?
It is just an old rule of thumb that root must never log on over the
wire but that may be old news from times of telnet - never had any
need of root logins over the wire until perhaps
At 994418143s since epoch (07/06/01 10:15:43 -0400 UTC), Ethan Benson wrote:
On Fri, Jul 06, 2001 at 09:18:18AM -0400, Jason Healy wrote:
types of
passwords accepted to run root commands, etc).
elaborate.
the main reason i don't use sudo except for small things which cannot
grant a
On Fri, Jul 06, 2001 at 09:43:55AM -0500, Nathan E Norman wrote:
OTOH if you restrict the user to a list of commands in /etc/sudoers,
it's wise to consider whether the user might be able to leverage one of
those commands to edit /etc/sudoers (or any other file). If you're
going to list
You make a good point, even if one of your examples is flawed:
$ sudo 'cat s /etc/sudoers'
sudo: cat s /etc/sudoers: command not found
sudo is a very useful tool in the type of situation described in this
thread. Even if you give everyone ALL=(ALL) ALL, it's better than su
or even
On Fri, Jul 06, 2001 at 06:15:43AM -0800, Ethan Benson wrote:
the main reason i don't use sudo except for small things which cannot
grant a root shell in any way is for the simple reason the sudo
converts a normal unprivleged user password into another root
password.
Any user account that
Ethan == Ethan Benson [EMAIL PROTECTED] writes:
Ethan or even seemingly innocuous things like less or even cat.
Less is a problem, yes, as is anything else with a shell escape.
Ethan sudo less anything !/bin/sh whoami r00t!
Ethan echo me ALL=ALL s sudo 'cat s /etc/sudoers'
doesn't work.
On Fri, Jul 06, 2001 at 03:24:56PM -0800, Ethan Benson wrote:
On Fri, Jul 06, 2001 at 09:43:55AM -0500, Nathan E Norman wrote:
OTOH if you restrict the user to a list of commands in /etc/sudoers,
it's wise to consider whether the user might be able to leverage one of
those commands to
37 matches
Mail list logo
