On Fri, 2004-06-11 at 21:30, Mike Fieschko wrote: > One of the Mandrake security levels doesn't allow any root login. I hope that > Mandrake's install requires a nonroot account, especially if that security level is > selected. You can still do `su root` or `su - root`, of course. My $0.02: if a box > has a NIC, or if networking is otherwise set up, then no root login ought to be > allowed.
I don't really see the point in preventing root login. As long as you have a secure password, it shouldn't really be a problem... and if there's a possible vulnerability that allows someone to get around the root password, couldn't there also be a vulnerability that allows them to get around root login being blocked? I mean at some point you have to be able to access root, even if its through su or sudo, and unless you totally remove that root user privilege, there's still a risk. I'd just like to hear a bit more on this explanation if you don't mind, maybe there's some factor that I don't know. Obviously there's a great possibility Linux has a security hole in it somewhere. But you can't live life on fears like that; only on the fact that the release cycle for Free software (especially when it comes to security issues) is very, very fast. ;-) > No matter how the installer words the warning, it'll be ignored by folks, just as > motd is. This is the situation where I agree with disabling root logins. Not for security against hacking or viruses, but for security against users who don't understand security. So the theoretical installer designed for the simplest of users would not give any indication that "root" is a user you can actually log into the system as, and if anyone ever got the idea to try logging in as root, it would fail anyway. So in a way you're right... if it's worded as a warning, no one will heed it. Don't word it as a warning. Word it as though there's no other way to do it. The linux geeks will know better (and hopefully understand security), and the regular users won't realize that root is actually a user, simply because there's no indication of that. There's just a configuration password and their user account. -Jeff -- Jeff Tickle <[EMAIL PROTECTED]> JTSoft.net -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
