[TriLUG] Privileges and Social Engineering

Jeff Tickle jtickle at jtsoft.net
Sat Jun 12 18:35:34 EDT 2004


On Fri, 2004-06-11 at 21:30, Mike Fieschko wrote:
> One of the Mandrake security levels doesn't allow any root login.  I hope that Mandrake's install requires a nonroot account, especially if that security level is selected.  You can still do `su root` or `su - root`, of course.  My $0.02: if a box has a NIC, or if networking is otherwise set up, then no root login ought to be allowed.

I don't really see the point in preventing root login.  As long as you
have a secure password, it shouldn't really be a problem... and if
there's a possible vulnerability that allows someone to get around the
root password, couldn't there also be a vulnerability that allows them
to get around root login being blocked?  I mean at some point you have
to be able to access root, even if its through su or sudo, and unless
you totally remove that root user privilege, there's still a risk.  I'd
just like to hear a bit more on this explanation if you don't mind,
maybe there's some factor that I don't know.

Obviously there's a great possibility Linux has a security hole in it
somewhere.  But you can't live life on fears like that; only on the fact
that the release cycle for Free software (especially when it comes to
security issues) is very, very fast.  ;-)

> No matter how the installer words the warning, it'll be ignored by folks, just as motd is.

This is the situation where I agree with disabling root logins.  Not for
security against hacking or viruses, but for security against users who
don't understand security.  So the theoretical installer designed for
the simplest of users would not give any indication that "root" is a
user you can actually log into the system as, and if anyone ever got the
idea to try logging in as root, it would fail anyway.  So in a way
you're right... if it's worded as a warning, no one will heed it.  Don't
word it as a warning.  Word it as though there's no other way to do it. 
The linux geeks will know better (and hopefully understand security),
and the regular users won't realize that root is actually a user, simply
because there's no indication of that.  There's just a configuration
password and their user account.

-Jeff

-- 
Jeff Tickle <jtickle at jtsoft.net>
JTSoft.net




More information about the TriLUG mailing list