Re: Can Debian's paranoia be tamed
On Sat, 2012-11-24 at 02:50 +0100, Ralf Mardorf wrote:
> On Sat, 2012-11-24 at 02:43 +0100, Ralf Mardorf wrote:
> > On Fri, 2012-11-23 at 20:28 -0500, Miles Fidelman wrote:
> > > Richard Owlett wrote:
> > > >
> > > >> As in, you were not able to log in as root, even though
> > > >> you'd enabled root and provided a root password during
> > > >> installation? That's also kind of weird. What about logging
> > > >> in as a normal user, and then opening a terminal window and
> > > >> typing "su" ?
> > > >
> > > > That was *NOT* my goal .
> > > > When booting, I wished "world domination" so to speak ;/
> > > >
> > > > "su" and "sudo" kept doing THEIR thing.
> > >
> > > ummm.... that's what su does - gives you "world domination"
> > It's wise not to run a complete session as root. It's better to e.g. use
> > a su frontend, e.g.
> > gksu thunar
> > or gksudo so that /etc/sudoers can be used to set up that no password is
> > required.
> > The menu entries can be edited with Alacarte, so instead of launching
> > Thunar, Nautilus or what ever file browser, launch it by gksudo thunar
> > and do this for all apps, that should run with root privileges.
> PS: It's completely useless to run a web browser with root privileges.
> If we explain how to enable to login as root, several people will do it.
> If several people do it, it becomes more interesting to attack Linux
> machines. After a while they not only will attack machines that run
> complete sessions with root privileges, but they also will learn to
> attack other machines.
PPS: I forgot to mention that if by /etc/sudoers it's allowed to execute
apps with root privilegs, even without password, the apps should not
have permissions to be overwritten, only root should be allowed to do
that, so that nobody can replace an app, by another app.