Re: Single-use root account?
On Fri, 2003-11-07 at 09:10, J. Bruce Fields wrote:
> On Fri, Nov 07, 2003 at 08:19:00AM -0600, Ron Johnson wrote:
> > On Fri, 2003-11-07 at 07:55, J. Bruce Fields wrote:
> > > Why not? They already have physical access to the machine, what more
> > > would you give up to them by telling them the root password? For a home
> > > computer, I don't see much reason not to just stick the root password on
> > > a post-it note on the monitor.... You already trust anyone that's in a
> > > position to see it.
> >
> > And if a not-so-trustworthy "friend" or acquaintance wanders by,
> > he can destroy you.
>
> Sure. And the attack (memorize the password, go home, ssh in and do the
> dirty deed) is usually going to be easier than the attack without the
> password (remove the drive, do something with it, put it back in; or, if
> the BIOS is unprotected, just boot to your own floppy/cd). But I'd
> still argue that in a lot of situations the root-password-on-the-monitor
> is a pretty reasonable risk.
You're making the social engineer's job soooo easy.
> > The all-privilege sudo is the best idea, since the actions are
> > audited.
>
> Though note that the auditing is there to keep the honest honest--surely
> the audit trail isn't truly secure against an user with "all-privilege
> sudo".
But if the roommate doesn't know about it....
--
-----------------------------------------------------------------
Ron Johnson, Jr. ron.l.johnson@cox.net
Jefferson, LA USA
"Millions of Chinese speak Chinese, and it's not hereditary..."
Dr. Dean Edell
Reply to: