disabling root and olpc passwords

Albert Cahalan acahalan at gmail.com
Sun Jan 13 01:30:56 EST 2008


Carl-Daniel Hailfinger writes:
> On 13.01.2008 01:45, M. Edward (Ed) Borasky wrote:

>> Typical Linux practice is the following:
>>
>> 1. One *never* allows remote shell login as "root" -- *ever* -- even
>> behind a firewall. One allows only *one* user in the "wheel" group to
>> log in to a shell account, and then *only* via "ssh".
>
> Which is almost as unsafe as using "root" directly.

It's exactly as unsafe, unless you count the obscurity value
of the non-root account. Note that "olpc" will not be obscure.

>> 2. When root access is needed, "sudo" is used, with the least permissive
>> mode possible.
>
> And once you start installing software globally via sudo, the account
> from which you called sudo to install software is (in almost all
> circumstances) effectively "root". Same goes for bootloader configuration.

Thank you! The sudo people sure do market that tool very well.
I was starting to wonder if everybody had gone insane. No, there
is no magic bullet for security, and sudo doesn't even help.

(excepting rare cases involving remote logging and multiple
poorly trusted admins -- as may be the case with employees
being paid to babysit a server)

>> Anything less than this level of security is a bad habit --
>> a *very* bad habit. Please don't encourage such habits,
>> or ask the open source community to cater to them.
>
> Actually, I would consider the belief that sudo makes things
> unconditionally safer to be mostly equivalent to the belief that
> a "personal firewall" (which is not a firewall) makes things
> unconditionally safer. IMO, use of sudo should be discouraged
> because it gives people a false sense of security.

I strongly agree. Also, sudo is 146K. Ditch sudo, save space,
and improve security all at the same time.

> Many people interpret complicated or work-intensive interfaces
> as damage and work around them. Often the workaround not only
> neutralizes the intent of the original interface, it actually
> makes things worse from the perspective of the person who tried
> to impose the interface on them in the first place.

Yep.

Firefox is starting to get me clicking OK to everything because
it throws up a pair of dialog boxes for most https sites. Lovely.
If there were actually a serious problem, I might not spot it.
Firefox is crying wolf, with predictable results.



More information about the Devel mailing list