Re: Doing administrative work

On Sun, Jan 21, 2007 at 10:03:30PM -0500, Jim Hyslop wrote:
OK, this latest discussion about logging in as root got me thinking. I'm
fairly new to Linux. Occasionally, when I need to set up something (as
an example, my recent DNS questions) I will need to edit a config file,
and restart the daemon. I usually start by logging in as myself, then
issue individual 'su [command]' commands. After a while, I get tired of
typing in the root password over and over, so I just issue a simple 'su'
and work as root from there.

Should I be taking a different approach?



Hi Jim,

As you see from all the replies, the answer is "it depends". To get a
specific answer, you need to give specific details on your overall
setup.

Personally, for me, I only have two regular users: me and my wife. I
have two computers connected via a crossover ethernet cable. Under
normal operating procedure, my 486 is just a glorified terminal (via
ssh) to my Athlon box. I have an ssh group and only members of ssh can
ssh into the box. SSH only listens on the local ethernet port. Only
public-key access is allowed. What this means is that the two
computers are really, from a security perspective, one computer. If an
attacker gains access to one, he gains access to both. Since they are
only 20 feet apart in the house its not a huge concern since they could
also just pull the backup off the shelf.

I don't log in as root, but run su - when needed. I never run X apps as
root. I have pam set up so that only members of group adm (which
includes only me) can su.

I could tighten security a lot if I wanted but I'd have to do a lot
locally to make it matter. Its all about total risk assessment. The
reason that _I_ don't run as root all the time is to protect myself from
my own stupid mistakes. I suppose then I could have pam setup so that
I don't have to give the root password; typing su gives enough pause.
On the other hand, I figure that if I need to su often enough to make
this an issue, then I'm doing it too often and would need to look at what
I was doing that I couldn't do as myself.

YMMV.

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Relevant Pages

  • Re: Alerting - Malicious software removal tool
    ... >needed to install an application that she could not install from ... >"Administrator" account. ... You failed to analyze the root cause and correct it ... use their computers to have fun. ...
    (microsoft.public.security.virus)
  • RE: Linux hacked
    ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
    (Security-Basics)
  • Re: Linux hacked
    ... To find out what kernel version you are running, type "uname -a" without ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
    (Security-Basics)
  • Re: X11Forwarding, ssh -X, and /bin/su
    ... ]>but I'm not really tunneled using ssh then, ... ]connecting to the X server and have the home directory NFS-mounted ... ](unless you leave root unmapped over NFS, ... ]root-readable place and set the environment $XAUTHORITY variable ...
    (comp.security.ssh)
  • RE: Linux hacked
    ... hack the box, pull the drive and save it. ... Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ... been unsuccessful in getting root back. ... I found a hidden directory /var/tmp/.tmp that has a bunch of directories ...
    (Security-Basics)