Re: Root growing

From: David Bolt <blacklist-me@xxxxxxxxxx>
Date: Tue, 29 Jun 2010 23:59:58 +0100

On Tuesday 29 Jun 2010 23:25, while playing with a tin of spray paint,
Ulick Magee painted this mural:

David Bolt wrote:

You'd hope so, wouldn't you. I don't have much faith that some people
running servers, any servers, have even the slightest clue. If they
did, I don't think I'd see quite so many attempts to access phpmyadmin
and other such stuff on my web server.

That doesn't tell you all that much though.
It's a bit like spam.
It costs basically nothing to send out millions of attempts, and you
only need a few responses for it to pay off.

And, apparently, there are more than enough badly administered systems
with it accessible to the outside world, so it's worth doing.
Unfortunately.

PHP does seem to be one of the most popular ways to get inside a poorly
secured linux web server though.

Oh yes. I still remember a Linux specific worm spreading because of
insecure PHP and Apache installations. Looking at the datestamp of my
archived copy of the payload, it was around mid December 2005.

At the end of the day there are various ways that OSes attempt to limit
the effects of user stupidity, but there's no cure for admin stupidity.

There is, it's just illegal in most countries.

I'm not sure there's many that do. All the advice I see given,
especially when talking about running X as root is basically
"just don't do it" TM.

You could call that the "inverse Nike" approach :)

Now that's something I hadn't thought about calling it.

As for things that need to be run as root, for instance using YaST2 to
do package maintenance as a normal user pops up the password dialog
box[0]. And, one thing I dislike about it is the checkbox allowing the
password to be remembered. It shouldn't be there, but it is, and I'll
bet that an awfully large number of users would also make sure the
password is remembered.

I was a bit dismayed when that first appeared in KDE3.something, too.

I'm not sure which one it was, but I think it was 11.0 that removed
that checkbox, accidentally or otherwise, but it reappeared with the
next version. Pity, as it would have been nice if they'd left it out.

I've never used it on a 'real' box, but recently tried it on a
oS11.2/KDE4 VM just to see what would happen, a thingy appears in the
taskbar saying that privileges are elevated.

I never use it. I don't like it and, from a security point of view,
wish it was possible to remove it completely. If it isn't there, you
can't be tempted to check it "just as a time saver."

Now whether that just
applies to YaST (or whatever else originally asked) or to anything, I
don't know.

No idea.

And running with root, administrator, or whatever you'd like to call
it, still seems to be the default for the first user created even with
their latest "more secure" offering.

Well there's a big difference (I hope) between running as root and
having the password for root the same as your own

There is. You still need the root password, even if it is the same as
your normal user password, to do privileged actions. If that wasn't the
case, I'd be very worried.

- the latter has been
the default on openSUSE installations for a while now.

You can change that by, IIRC, either a single click or few clicks at
installation time, at the same time as turning off auto-login and
sending roots mail to the named user. Boy do I wish they'd switch
defaults for those two as well.

Regards,
David Bolt

--
Team Acorn: www.distributed.net
openSUSE 11.0 32b | | | openSUSE 11.3RC1 32b
| openSUSE 11.1 64b | openSUSE 11.2 64b |
TOS 4.02 | openSUSE 11.1 PPC | RISC OS 4.02 | RISC OS 3.11

.

References:
- Root growing
  - From: Pete Puma
- Re: Root growing
  - From: Ulick Magee
- Re: Root growing
  - From: mjt
- Re: Root growing
  - From: Ulick Magee
- Re: Root growing
  - From: mjt
- Re: Root growing
  - From: Ulick Magee
- Re: Root growing
  - From: mjt
- Re: Root growing
  - From: David Bolt
- Re: Root growing
  - From: Ulick Magee

Prev by Date: Re: Firefox 3.6.6
Next by Date: Re: Root growing
Previous by thread: Re: Root growing
Next by thread: Re: Root growing
Index(es):
- Date
- Thread

Relevant Pages

Re: Secure Web-Based Administration
... You would be best off using webmin, ... Instead of invoking root processes from your web server, ... the web server process leave authenticated requests in a queue. ... Subject: Secure Web-Based Administration ...
(Focus-Linux)
Re: sendmail messages bounce
... installed sendmail on a server which I am also using as a web server. ... verification back, which fails, causing the original email to bounce. ... root is configured as an exposed user - please see cf/README. ...
(comp.mail.sendmail)
Re: Avoid while on line, apache & X as root?
... Without the web server making some form of request, ... but why would it be unsafe if not online and if the system is backed up? ... I've never had problems running X as root, ... This is the most common configuration for a router. ...
(alt.os.linux.suse)
Re: Apache 2.2 & Perl CGI::Simple running under separate uids: SCGI? FCGI? PSGI?
... | CGIwrap needs to be installed set-uid to root. ... Log in as root, change ... root to change your process to another UID. ... and have the web server talk to them with FastCGI ...
(comp.lang.perl.misc)
Re: been using only root account - system compromized?
... weeks configuring it. ... I did everything with the root user (daily work, ... things as packet installations)? ... tauno voipio iki fi ...
(comp.os.linux.misc)