just say 'no' to root passwords
On Fri, 2 Mar 2001, Alexander Hvostov wrote:
> Of course, all of this is meaningless, since with PAM, `su' _can_
> understand and honor the `wheel' group. Also, if RMS is so against
> authority and power, why is there a GNU `su' at all?
> In addition, where the rulers' (ie, sysadmins') power is not cemented,
> there is no security (e.g., because someone unauthorized has the root
> password). Where there is no security, there are 31337 H4X0RZ, who
> generally completely subvert the machine, rendering the entire point moot
> since now _nobody_ (except, of course, the aforementioned H4X0RZ) can use
> the machine.
I completely agree
> Why GNU `su' does not support the `wheel' group
> (This section is by Richard Stallman.)
> Sometimes a few of the users try to hold total power over all the
> rest. For example, in 1984, a few users at the MIT AI lab decided to
> seize power by changing the operator password on the Twenex system and
> keeping it secret from everyone else. (I was able to thwart this coup
> and give power back to the users by patching the kernel, but I wouldn't
> know how to do that in Unix.)
> I'm on the side of the masses, not that of the rulers. If you are
> used to supporting the bosses and sysadmins in whatever they do, you
> might find this idea strange at first.
ok, I find this strange... he's actually advocating the exploitation of
something which might be considered a security hole?
perhaps it's time I joined debian-security (my career seems to be taking
that path thanks to an *excellent* class by Robert Mahan of PNL and recent
As Professor Mahan would say "passwords plain suck". I just realized it
would work and decided to star my root pw... leaving myself in
/etc/sudoers and wheel (that works right?)... on more secure systems
**without** passwords (rather biometrics/smartcards etc...) then only I
could have such access. Unless I left my point of access accessible to an
adversary *with* my access token.
The reason ESR's system was exploited is that passwords and all easily
replicated authentication methods suck.
If one method of strong authentication isn't enough for an individual why
would two or ten be enough? Why have a separate authentication token for
administrators that can just be transmitted? With finer grained security
(see recent kernel 2.4 security features article) there should be *no*
user accessable god account (perhaps save via booting to single user mode
or another exploit requiring both physical access and a noticable
interruption of service when dealing with dire consequences). Of course
this is as I said on a much more secure system than is practical for home
Sorry if some of this is too basic or too theoretical but I'm new to the
field and a little excited by it. ;->