Re: Root is God? (was: Mutt & tmp files)

[Mathias Gygax <mg@trash.net>]

On Fre, Nov 16, 2001 at 02:58:48PM +0100, Ralf Dreibrodt wrote:
> Hi,

hi there,

> > > > > Root is God. Anything you do on the system is potentially visible to
> > > > > root.
> > 
> > this is, with the right patches applied, not true.
> 
> well, i thought this is the definition of root.

no. with LIDS you can protect files and syscalls even from root. in my
setup, root cannot even write to his own home directory.

> i wanted to post something about lids, but then i thought, it doesn't
> make sense in this case.

i think it does make sense.

> now we have the case, that someone does not trust the root user.

this is the case with a LIDS setup.

> when there are several systemadministrators, does is really make sense
> to install lids to have the possibility to give other (untrusted)
> users the root-pw?

with a carefully implemented LIDS, this is possible.

my root user can't write to /usr/*, doesn't have any special syscall
access to change network and firewall settings, can't SETUID/SETGID and
is really locked like a normal user etc. but... root in this setup is
useless. you can't do anything that looks like administration. you can
run the daemons that need root access, but they're limited and can't do
the full root stuff root usually does.

LIDS basically does protect the kernel from root.