So on the Apple, does the user set the root password at some point? You make a good point that there are still good vulnerabilities in the home directory. I didn't think of those, and there's no real way around them. And you'll always indeed have the very few people (but enough) who install that cool program that "Bob" sent them. I don't suppose there's any real good way of getting around the problem...
Oh well. It was just a thought. Possibly still not a bad idea, but definitely not a 100% effective solution. -Jeff On Fri, 2004-06-11 at 19:41, Mike Johnson wrote: > It's -soooo- much easier than this. Apple has solved this problem in > OS X. It's so simple, it's brilliant. On first boot, a user is asked > to create an account for themselves. This is usually their name, and > they get an option for a nickname. Then, they -always- log in as this > user. Root is not enabled (OS X is UNIX under the covers, remember) and > this regular user is obviously limited in what they can do. If they > want to break out of that, they either use sudo from the command line, > or a pop-up screen comes up where they must enter their password. (Yes, > there are still social engineering things that can be done here, but > it's irrelevant, see below.) > > Now, all that said, keep in mind that a virus really doesn't need to be > root to spread. It can do all that just fine as your user. Maybe add a > little magic to your .bashrc, .profile, .cshrc, .login, etc just for > fun. It can still read your address book, it can still send mail as > you (for propigation), it can still be used as a zombie to DDoS SCO. > And with its addition of itself into your startup scripts, it won't go > away. Now, it's not difficult to get rid of the little beasty, and it > can't leave behind a rootkit, but it never needed root access at any > point along the way. > > Windows is a target rich environment, nothing more, nothing less. The > virus that I just described is pretty much how they work on Windows, > with the exception of adding themselves to the system startup. A virus > like this would also work on Solaris, AIX, FreeBSD, and even, OMG, > OpenBSD (and any other multiuser operating system). Hell, it could even > work on an SELinux system. All it takes is an email that says 'hey, run > this attached script'. > > Mike -- Jeff Tickle <[EMAIL PROTECTED]> JTSoft.net -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
