[ On Wednesday, September 26, 2001 at 11:10:28 (+0200), Nick Nauwelaerts wrote: ]
> Subject: Re: Why restrict root logins?
>
> One point that still hasn't been raised in this thread (I think). This applies
> to mostly to interactive logins, and a much lesser degree to the use of ssh
> keyfiles.
> Having allowrootlogin on a box that's connected to the net gives away one of 2
> things needed for a succesfull login: a username. Since root user on most boxes
> also called root this gives any attacker a foodhold on your system. He then
> only needs to find the correct pass{word,key}. Else he would need to find a
> username (and not every user has root priviliges ofcourse) first, which adds an
> extra step in gaining unauthorized access.
> I personally find it best not to give anyone the root password. Everything root
> does can also be done with a sudo -s, which gives a root shell.
Sudo is a VERY weak mechanism for forcing accountability. It can very
easily be subverted, and it has very poor authentication and
authorisation mechanisms which are also easily subverted.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
