I think people misunderstand the core problem: if root does not have a
password, then *any activity on the system* can gain root privileges
by su'ing to root. By restricting 'root login' to the olpc user via
sudo, it becomes simple to restrict the activities which can gain root
privileges,
Well, i understand. :)
I was very surprised to find that by default root has no password on the OLPC!
This seems a mite dangerous to me. I can just imagine OLPC viri
springing up, propagtating through the mesh...
I'd love to have a proper sudo on the thing. It would make me feel a
lot mreo
On Dec 21, 2007 1:27 PM, C. Scott Ananian [EMAIL PROTECTED] wrote:
I think people misunderstand the core problem: if root does not have a
password, then *any activity on the system* can gain root privileges
by su'ing to root.
This is not a given. Much has to be in place for
this to happen. Off
It doesn't seem like it would be difficult to write an activity that
opens a pty (like Terminal does), issues an su, and thus gives itself
elevated privileges. That's why the rest of the activity isolation
security model is important.
--
James Cameronmailto:[EMAIL PROTECTED]
James Cameron writes:
It doesn't seem like it would be difficult to write an activity that
opens a pty (like Terminal does), issues an su, and thus gives itself
elevated privileges. That's why the rest of the activity isolation
security model is important.
Uncomment line 6 of /etc/pam.d/su
.
If anything, Linux is going the other way. On a highly secure
Linux system, it is not possible to obtain full privileges unless
you log in directly on the console. You can't get full privilege
with sudo, su, or ssh. (mere root, UID==0, won't do the job)
BTW, this is not a bad solution. Simply
On Dec 19, 2007, at 1:50 AM, M. Edward (Ed) Borasky wrote:
Yeah ... sudo is more secure than su. In fact, some systems, for
example, the Gentoo LiveCD, scrambles the root password. So you
have to do
$ sudo su -
and then set a password to ssh in as root.
+1
This is the same thing
On a simmilar vein, would it be much of a perfomance hit to be running
denyhosts on these machines?
What would it do with the mesh network interface?
--e
___
Devel mailing list
Devel@lists.laptop.org
http://lists.laptop.org/listinfo/devel
On 12/19/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
On a simmilar vein, would it be much of a perfomance hit to be running
denyhosts on these machines?
What would it do with the mesh network interface?
IIRC, each member of the mesh is assigned an IPv6 IP address in the reserved
*IPv4
On 12/19/07, ffm [EMAIL PROTECTED] wrote:
On 12/19/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
On a simmilar vein, would it be much of a perfomance hit to be running
denyhosts on these machines?
What would it do with the mesh network interface?
IIRC, each member of the
I'd like to draw devel@'s attention to trac bug 5537, which might land
sometime soon:
http://dev.laptop.org/ticket/5537
The upshot would be that, instead of logging in directly as root with
no password, you would log in directly as *olpc* with no password, and
then sudo to root (if you need
Yeah ... sudo is more secure than su. In fact, some systems, for
example, the Gentoo LiveCD, scrambles the root password. So you have to do
$ sudo su -
and then set a password to ssh in as root.
___
Devel mailing list
Devel@lists.laptop.org
http
12 matches
Mail list logo