[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Single-use root account?

On Fri, 2003-11-07 at 09:10, J. Bruce Fields wrote:
> On Fri, Nov 07, 2003 at 08:19:00AM -0600, Ron Johnson wrote:
> > On Fri, 2003-11-07 at 07:55, J. Bruce Fields wrote:
> > > Why not?  They already have physical access to the machine, what more
> > > would you give up to them by telling them the root password?  For a home
> > > computer, I don't see much reason not to just stick the root password on
> > > a post-it note on the monitor.... You already trust anyone that's in a
> > > position to see it.
> > 
> > And if a not-so-trustworthy "friend" or acquaintance wanders by,
> > he can destroy you.
> Sure.  And the attack (memorize the password, go home, ssh in and do the
> dirty deed) is usually going to be easier than the attack without the
> password (remove the drive, do something with it, put it back in; or, if
> the BIOS is unprotected, just boot to your own floppy/cd).  But I'd
> still argue that in a lot of situations the root-password-on-the-monitor
> is a pretty reasonable risk.

You're making the social engineer's job soooo easy.

> > The all-privilege sudo is the best idea, since the actions are
> > audited.
> Though note that the auditing is there to keep the honest honest--surely
> the audit trail isn't truly secure against an user with "all-privilege
> sudo". 

But if the roommate doesn't know about it....

Ron Johnson, Jr. ron.l.johnson@cox.net
Jefferson, LA USA

"Millions of Chinese speak Chinese, and it's not hereditary..."
Dr. Dean Edell

Reply to: