Re: Why should non-root users have a password?
On Sun, Dec 07, 2003 at 11:28:41AM -0800, Tom wrote:
> If I have a firewall, and I'm the only person who uses my computer, do I
> really have to have a password on my non-root account?
>
> I know the answer is "yes" but -- why? They can't do anything to my
> machine anyway, except use it. And due to the firewall that never
> happens anyway.
>
The firewall probably mostly protects you computer although most
probably it can be broken through if someone really wants to (the old
saying that if there is a door then there is a way through it).
As for the user password. Just as an example look at the break in into
the Debian system. This was done using a regular user's password that
was sniffed on another computer and then a local buffer overflow (there
is usually at list one floating around) was used to get the root
password.
Thus, if someone who knows what s/he is doing gets through you firewall
then they most probably can get full root privilege.
Its all a question of convenience versus how secure you want to feel.
Another option you can use is to enable password less login in gdm
(probably others can do this too). Thus a person would need physical
access to the computer to actually log in without a password.
>
> --
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: