Re: Root SSH permitted by default (was: how does root run a graphical prog)

To: debian-user@lists.debian.org
Cc: Dave Sherohman <esper@sherohman.org>
Subject: Re: Root SSH permitted by default (was: how does root run a graphical prog)
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 21 May 2002 19:44:10 +0100
Message-id: <[🔎] 20020521184410.GB10438@arborlon.riva.ucam.org>
Mail-followup-to: debian-user@lists.debian.org, Dave Sherohman <esper@sherohman.org>
In-reply-to: <[🔎] 20020521132320.D5706@sherohman.org>
References: <[🔎] 20020520234531.A5314@singnet.com.sg> <[🔎] 200205201849.19341.gtdev@spearhead.de> <[🔎] 20020520123728.B606@sherohman.org> <[🔎] 20020520180150.GA30651@arborlon.riva.ucam.org> <[🔎] 20020520133749.19d52f42.jcollins@asgardsrealm.net> <[🔎] 20020520192610.GC31416@arborlon.riva.ucam.org> <[🔎] 20020521132320.D5706@sherohman.org>

On Tue, May 21, 2002 at 01:23:20PM -0500, Dave Sherohman wrote:
> On Mon, May 20, 2002 at 08:26:11PM +0100, Colin Watson wrote:
> > Like the document says, regularly su'ing to root from an account makes
> > compromising that account essentially equivalent to compromising root
> > anyway.
> 
> How so?  Regularly sudo'ing, sure, since that uses the user's password
> as a (hopefully limited) root password.  Or if the user's password
> and the root password are the same (which is a problem unto itself).
> However, I have two separate (and relatively strong) passwords for my
> user account and for root.  In this situation, how would frequent use of
> su from my account "make compromising that account essentially equivalent
> to compromising root"?

Do you check for processes running under your uid every time you run su?
Not many people do. It's sensible to consider an account root-equivalent
if it frequently escalates to root, and I know (paranoid) people who
maintain separate insecure and secure user accounts to make this
explicit.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Root SSH permitted by default (was: how does root run a graphical prog)
  - From: Hans Ekbrand <hans@sociologi.cjb.net>
- Re: Root SSH permitted by default (was: how does root run a graphical prog)
  - From: Dave Sherohman <esper@sherohman.org>

References:
- how does root run a graphical prog
  - From: Willy S <spamtrap@bozz.com>
- Re: how does root run a graphical prog
  - From: Nicos Gollan <gtdev@spearhead.de>
- Re: how does root run a graphical prog
  - From: Dave Sherohman <esper@sherohman.org>
- Re: how does root run a graphical prog
  - From: Colin Watson <cjwatson@debian.org>
- Root SSH permitted by default (was: how does root run a graphical prog)
  - From: Jamin W.Collins <jcollins@asgardsrealm.net>
- Re: Root SSH permitted by default (was: how does root run a graphical prog)
  - From: Colin Watson <cjwatson@debian.org>
- Re: Root SSH permitted by default (was: how does root run a graphical prog)
  - From: Dave Sherohman <esper@sherohman.org>

Prev by Date: Re: Is it perfectly to pass argv[] this way to function ?
Next by Date: Re: Network problem/question.
Previous by thread: Re: Root SSH permitted by default (was: how does root run a graphical prog)
Next by thread: Re: Root SSH permitted by default (was: how does root run a graphical prog)
Index(es):
- Date
- Thread