RE: Why restrict root logins?

Wed, 26 Sep 2001 13:40:56 -0700 

So if there is no way to talk to the system from the outside,(I know scoff
scoff), and only x number of people are created as users on that system, and
all known remote exploits are accounted for. All buffer overflows stopped at
somelevel, usually in userspace and beyond, that someone can still get root
if they are not allowed to because they canot run commands except for a
finite amount, ls, cd, and such? On top of that, all commands are aliased,
and not allowed to be unset, if they are, they won't have access to
anything? So someone can still get root at that level? Now, as to the goal
based attacks, it would stand to reason that as long as they have access to
some user's account on the box which has access to key info, data the
attacker might be after, then that could be viewed as an attack, but that
would also narrow down quite a bit who had access to what. Thus still making
it better and easier to figure out WHO did what, and ultimately easier to
track down suspects, etc. 


-- 
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-796-9023
email: [EMAIL PROTECTED] 

> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 26, 2001 3:25 PM
> To: Gonyou, Austin
> Cc: [EMAIL PROTECTED]
> Subject: RE: Why restrict root logins?
> 
> 
> [ On Wednesday, September 26, 2001 at 14:40:48 (-0500), 
> Gonyou, Austin wrote: ]
> > Subject: RE: Why restrict root logins?
> >
> > you are only partially correct. I developed a scheme on 
> Linux where you
> > cannot have root access, except for using sudo, but if sudo 
> is only allowed
> > for certain groups, then only a small subset of people, 
> who'm are explicitly
> > told they can, have access to sudo and are fully accounted 
> for. This in
> > addition to some other ACLs, perhaps, XFS, etc, allows 
> almost no one to get
> > sudo, without being accounted for in this way. It is 
> tedious, but very
> > secure as well. 
> 
> having read the sudo code, and understanding goal-based attacks in the
> way I do, I wouldn't bet on it.....
> 
> -- 
>                                                       Greg A. Woods
> 
> +1 416 218-0098      VE3TCP      <[EMAIL PROTECTED]>     
> <[EMAIL PROTECTED]>
> Planix, Inc. <[EMAIL PROTECTED]>;   Secrets of the Weird 
> <[EMAIL PROTECTED]>
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to