Re: Root SSH permitted by default (was: how does root run a graphical prog)

To: debian-user@lists.debian.org
Subject: Re: Root SSH permitted by default (was: how does root run a graphical prog)
From: Dave Sherohman <esper@sherohman.org>
Date: Tue, 21 May 2002 14:04:40 -0500
Message-id: <[🔎] 20020521140439.G5706@sherohman.org>
Mail-followup-to: Dave Sherohman <esper@sherohman.org>, debian-user@lists.debian.org
In-reply-to: <[🔎] 20020521185415.GB9585@sociologi.cjb.net>; from hans@sociologi.cjb.net on Tue, May 21, 2002 at 08:54:15PM +0200
References: <[🔎] 20020520234531.A5314@singnet.com.sg> <[🔎] 200205201849.19341.gtdev@spearhead.de> <[🔎] 20020520123728.B606@sherohman.org> <[🔎] 20020520180150.GA30651@arborlon.riva.ucam.org> <[🔎] 20020520133749.19d52f42.jcollins@asgardsrealm.net> <[🔎] 20020520192610.GC31416@arborlon.riva.ucam.org> <[🔎] 20020521132320.D5706@sherohman.org> <[🔎] 20020521184410.GB10438@arborlon.riva.ucam.org> <[🔎] 20020521185415.GB9585@sociologi.cjb.net>

On Tue, May 21, 2002 at 08:54:15PM +0200, Hans Ekbrand wrote:
> On Tue, May 21, 2002 at 07:44:10PM +0100, Colin Watson wrote:
> > > How so?  Regularly sudo'ing, sure, since that uses the user's password
> > > as a (hopefully limited) root password. 
> 
> On the contrary, since sudo'ing does not require the use of root's
> frequent use of sudo will never reveal the root password. No sane
> person will setup sudo to give unlimited root access, that would
> defeat the whole purpose with sudo.

Never reveal the root password, sure.  But I frequently see
suggestions that you should use sudo instead of su without explaining
that it needs to be locked down.  I've worked with a competent (but
insufficiently paranoid) sysadmin who thought nothing of using 'sudo
bash' on a regular basis.

Even among those who do know enough to lock down sudo, there are many
who don't know how to do it properly and will reason that if Bob
needs to be able to add users to groups, it's perfectly safe to let
him 'sudo vi /etc/group' without realizing that this gives Bob easy
access to a root shell.  And that's without even considering the
possibility of programs that can be convinced to execute arbitrary
commands even though they weren't designed to...

At this point, I'm sure it comes as no surprise that I tend to
consider an account with sudo access to be root-equivalent.

-- 
When we reduce our own liberties to stop terrorism, the terrorists
have already won. - reverius

Innocence is no protection when governments go bad. - Tom Swiss

-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- how does root run a graphical prog
  - From: Willy S <spamtrap@bozz.com>
- Re: how does root run a graphical prog
  - From: Nicos Gollan <gtdev@spearhead.de>
- Re: how does root run a graphical prog
  - From: Dave Sherohman <esper@sherohman.org>
- Re: how does root run a graphical prog
  - From: Colin Watson <cjwatson@debian.org>
- Root SSH permitted by default (was: how does root run a graphical prog)
  - From: Jamin W.Collins <jcollins@asgardsrealm.net>
- Re: Root SSH permitted by default (was: how does root run a graphical prog)
  - From: Colin Watson <cjwatson@debian.org>
- Re: Root SSH permitted by default (was: how does root run a graphical prog)
  - From: Dave Sherohman <esper@sherohman.org>
- Re: Root SSH permitted by default (was: how does root run a graphical prog)
  - From: Colin Watson <cjwatson@debian.org>
- Re: Root SSH permitted by default (was: how does root run a graphical prog)
  - From: Hans Ekbrand <hans@sociologi.cjb.net>

Prev by Date: Re: Root SSH permitted by default (was: how does root run a graphical prog)
Next by Date: Re: Root SSH permitted by default (was: how does root run a graphical prog)
Previous by thread: Re: Root SSH permitted by default (was: how does root run a graphical prog)
Next by thread: Re: Root SSH permitted by default (was: how does root run a graphical prog)
Index(es):
- Date
- Thread