Re: ssh and root
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vineet Kumar <debian-security@virtual.doorstop.net> writes:
> * Robert Epprecht (epprecht@sunweb.ch) [011208 02:31]:
> > I need ssh to access some cvs servers. As the files are stored locally
> > below /usr/local/ and ordinary users have no write access there I called
> > ssh-keygen as root. But now I have my doubts if this was The Right
> > Thing to do regarding security. I *do* trust the cvs servers in
> > question and am not paranoid about security, but I do want a reasonable
> > security level. Comments welcome.
>
> Rather than root, add your user account to group staff. This gives
> you access to /usr/local.
That would indeed be a lot better than ssh'ing in as root. I believe
the default setup doesn't even let you (or was that a configuration
question?).
> It should be noted, though, that this account
> becomes stronger than you can possibly imagine. (Well, not really, but
> it's easy for it to get root). One prime example of this is that
> /usr/local/sbin and /usr/local/bin come first in root's path.
On my machine these come last by default(!) when I su
user@frodo:~$ su
Password:
frodo:/home/user# echo $PATH
/sbin:/bin:/usr/sbin:/usr/bin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin
frodo:/home/user#
and they are not even there when logging in as root
frodo login: root
Password:
[...]
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
frodo:~# echo $PATH
/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11
frodo:~#
Besides, when r00t you use full pathnames, not?
- --
Olaf Meeuwissen Epson Kowa Corporation, Research and Development
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90
LPIC-2 -- I hack, therefore I am -- BOFH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.6 <http://mailcrypt.sourceforge.net/>
iD8DBQE8FUqCFsfyfWvjfZARAldtAJ47K/2STWf/fWny6AwLN2gC+k+VYwCcCQAH
Bt1IvMKp58m/g2VDpQQFxoE=
=CVXg
-----END PGP SIGNATURE-----
Reply to: