* Robert Epprecht (epprecht@sunweb.ch) [011208 02:31]: > I need ssh to access some cvs servers. As the files are stored locally > below /usr/local/ and ordinary users have no write access there I called > ssh-keygen as root. But now I have my doubts if this was The Right > Thing to do regarding security. I *do* trust the cvs servers in > question and am not paranoid about security, but I do want a reasonable > security level. Comments welcome. Rather than root, add your user account to group staff. This gives you access to /usr/local. It should be noted, though, that this account becomes stronger than you can possibly imagine. (Well, not really, but it's easy for it to get root). One prime example of this is that /usr/local/sbin and /usr/local/bin come first in root's path. One could place a uid binary version of this there very easily: /usr/local/sbin/ls: cp /bin/bash ~h4x0r/r00t5h3ll chmod u+s ~h4x0r/r00t5h3ll rm /usr/local/sbin/bash exec /bin/ls $ARGS So, when doing this, only do it to accounts you trust very well and that are very well-guarded. It's best to only give group staff to (the person(s) who is/are root)'s user account(s). It is one step better than using root directly, though (IMO). This is also why you should specify full pathnames to anything you invoke as root =) good times, Vineet -- Satan laughs when # "I disapprove of what you say, but I will we kill each other. # defend to the death your right to say it." Peace is the only way. # --Beatrice Hall, The Friends of Voltaire, 1906
Attachment:
pgpLqOQy326bu.pgp
Description: PGP signature