Re: Permissions on /root/

[Dale Amon <amon@vnl.com>]

On Sat, Mar 08, 2003 at 08:07:51PM +0100, Christian Jaeger wrote:
> Isn't it the same as for any user account? If that user (who maybe 
> shares his account with other people) wants his home dir private, he 
> can do so. Or create a subdir which is private(*). I just see no 

Typical user accounts are not the same as the root 
user unless you go to selinux where you have to 
assume the admin role to actually do anything. Since
I'm not running selinux on any production servers (yet)
I prefer to put as severe a wall as I can between luser
and root as I possibly can.

The friendliness of privs depends very much on what
it is you are doing. If the machine happens to be
a firewall protecting a LAN with proprietary data,
or a web server with many large web sites, the
criteria are rather different.

As I said, I use /root more as the common home for
the admin group. Not necessarily security important 
things there all the time, but sometimes transiently 
there is.

Security means turn everything off until the machine
is totally unusable, and then turn them back on until
you've got precisely what is required for the purpose
and no more.

Life will get easier when selinux goes more main 
stream as these things will be easily handled via
policy rather than file owner/mode settings.

-- 
------------------------------------------------------
       IN MY NAME:            Dale Amon, CEO/MD
  No Mushroom clouds over     Islandone Society
    London and New York.      www.islandone.org
------------------------------------------------------