RE: Why restrict root logins?

Wed, 26 Sep 2001 12:14:57 -0700 

you are only partially correct. I developed a scheme on Linux where you
cannot have root access, except for using sudo, but if sudo is only allowed
for certain groups, then only a small subset of people, who'm are explicitly
told they can, have access to sudo and are fully accounted for. This in
addition to some other ACLs, perhaps, XFS, etc, allows almost no one to get
sudo, without being accounted for in this way. It is tedious, but very
secure as well. 

-- 
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-796-9023
email: [EMAIL PROTECTED] 

> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 26, 2001 2:30 PM
> To: Nick Nauwelaerts
> Cc: [EMAIL PROTECTED]
> Subject: Re: Why restrict root logins?
> 
> 
> [ On Wednesday, September 26, 2001 at 11:10:28 (+0200), Nick 
> Nauwelaerts wrote: ]
> > Subject: Re: Why restrict root logins?
> >
> > One point that still hasn't been raised in this thread (I 
> think). This applies
> > to mostly to interactive logins, and a much lesser degree 
> to the use of ssh
> > keyfiles.
> > Having allowrootlogin on a box that's connected to the net 
> gives away one of 2
> > things needed for a succesfull login: a username. Since 
> root user on most boxes
> > also called root this gives any attacker a foodhold on your 
> system.  He then
> > only needs to find the correct pass{word,key}. Else he 
> would need to find a
> > username (and not every user has root priviliges ofcourse) 
> first, which adds an
> > extra step in gaining unauthorized access.
> > I personally find it best not to give anyone the root 
> password. Everything root
> > does can also be done with a sudo -s, which gives a root shell.
> 
> Sudo is a VERY weak mechanism for forcing accountability.  It can very
> easily be subverted, and it has very poor authentication and
> authorisation mechanisms which are also easily subverted.
> 
> -- 
>                                                       Greg A. Woods
> 
> +1 416 218-0098      VE3TCP      <[EMAIL PROTECTED]>     
> <[EMAIL PROTECTED]>
> Planix, Inc. <[EMAIL PROTECTED]>;   Secrets of the Weird 
> <[EMAIL PROTECTED]>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to