Re: Root growing
- From: David Bolt <blacklist-me@xxxxxxxxxx>
- Date: Tue, 29 Jun 2010 23:59:58 +0100
On Tuesday 29 Jun 2010 23:25, while playing with a tin of spray paint,
Ulick Magee painted this mural:
David Bolt wrote:
You'd hope so, wouldn't you. I don't have much faith that some people
running servers, any servers, have even the slightest clue. If they
did, I don't think I'd see quite so many attempts to access phpmyadmin
and other such stuff on my web server.
That doesn't tell you all that much though.
It's a bit like spam.
It costs basically nothing to send out millions of attempts, and you
only need a few responses for it to pay off.
And, apparently, there are more than enough badly administered systems
with it accessible to the outside world, so it's worth doing.
PHP does seem to be one of the most popular ways to get inside a poorly
secured linux web server though.
Oh yes. I still remember a Linux specific worm spreading because of
insecure PHP and Apache installations. Looking at the datestamp of my
archived copy of the payload, it was around mid December 2005.
At the end of the day there are various ways that OSes attempt to limit
the effects of user stupidity, but there's no cure for admin stupidity.
There is, it's just illegal in most countries.
I'm not sure there's many that do. All the advice I see given,
especially when talking about running X as root is basically
"just don't do it" TM.
You could call that the "inverse Nike" approach :)
Now that's something I hadn't thought about calling it.
As for things that need to be run as root, for instance using YaST2 to
do package maintenance as a normal user pops up the password dialog
box. And, one thing I dislike about it is the checkbox allowing the
password to be remembered. It shouldn't be there, but it is, and I'll
bet that an awfully large number of users would also make sure the
password is remembered.
I was a bit dismayed when that first appeared in KDE3.something, too.
I'm not sure which one it was, but I think it was 11.0 that removed
that checkbox, accidentally or otherwise, but it reappeared with the
next version. Pity, as it would have been nice if they'd left it out.
I've never used it on a 'real' box, but recently tried it on a
oS11.2/KDE4 VM just to see what would happen, a thingy appears in the
taskbar saying that privileges are elevated.
I never use it. I don't like it and, from a security point of view,
wish it was possible to remove it completely. If it isn't there, you
can't be tempted to check it "just as a time saver."
Now whether that just
applies to YaST (or whatever else originally asked) or to anything, I
And running with root, administrator, or whatever you'd like to call
it, still seems to be the default for the first user created even with
their latest "more secure" offering.
Well there's a big difference (I hope) between running as root and
having the password for root the same as your own
There is. You still need the root password, even if it is the same as
your normal user password, to do privileged actions. If that wasn't the
case, I'd be very worried.
- the latter has been
the default on openSUSE installations for a while now.
You can change that by, IIRC, either a single click or few clicks at
installation time, at the same time as turning off auto-login and
sending roots mail to the named user. Boy do I wish they'd switch
defaults for those two as well.
Team Acorn: www.distributed.net
openSUSE 11.0 32b | | | openSUSE 11.3RC1 32b
| openSUSE 11.1 64b | openSUSE 11.2 64b |
TOS 4.02 | openSUSE 11.1 PPC | RISC OS 4.02 | RISC OS 3.11
- Prev by Date: Re: Firefox 3.6.6
- Next by Date: Re: Root growing
- Previous by thread: Re: Root growing
- Next by thread: Re: Root growing