[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] URGENT: Cannot su - while being admin

Subject: Re: [cobalt-users] URGENT: Cannot su - while being admin
From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
Date: Thu Jan 17 16:44:11 2002
Organization: nobaloney.net
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

flash22@xxxxxxx wrote:

> http://www.linuxjournal.com/article.php?sid=5672
>  "don't allow root logins via ssh
>   directly, instead force users to login as a
>   regular user and use "su" to root. This will
>   help stem several attacks before they can even begin."

After carefully reading this entire article several times, I cannot find
any justification for this statement except that of pattern matching
after a known login attempt.  However, this gets negated by both the
ease of pattern-matching after the "su" (discussed in the article) and
the obvious fact that both admin and su passwords are the same in the
Cobalt environment.

> http://www.linuxdoc.org/HOWTO/Security-HOWTO-4.html
>  "here is no need to be able to login directly as root. "

This quote is directly related to loggin in using telnet; in fact the
/etc/securetty file it refers to restricts telnet logins, not ssh
logins.

> http://www.debian.org/doc/manuals/securing-debian-howto/ap-checklist.en.html
>  "Disable network root login; use su(1) ..."

This author gives no reasons or justifications for his/her statement.

> http://www.linuxdoc.org/HOWTO/Virtual-Services-HOWTO-13.html
>  "There is never an acceptable
>   time to allow root login's either through telnet or ssh. Doing so is
>   simply an invitation to disaster."
>  "No responsible administrator would ever do otherwise "

If you read this carefully, you'll realize the author is writing about
allowing users root access to the box on which their website is hosted. 
I don't see where the author is referring to the machine's administrator
at all.

> http://www.boran.com/security/unix2.html (IT Security Cookbook)
> "Direct root login should not be possible over the network "
> 'best practices guidlines'
> www.lbl.gov/ITSD/Security/docs/linux_guidelines.rtf
>  "Require that root users su to root from their user account rather
>  than logging in directly as root for accountability.Configure the
>  system to not allow root login over the network if possible."

Note the point "for accountability".  I agree, accountability is a great
reason to not allow root logins.  My original response was in
consideration of a machine for which only one user has the root
password.

Of course we could argue that since someone else could get the root
password, this way we could check logs to see who logged in and then
used the root password for su.  My (admittedly weak) argument back would
be that on the RaQ that user would also have the admin password and so
could log in and su from admin with no accountability present.

I also realized as I researched this reply that personally, I never log
in as root myself, so I guess I'm a hypocrite <wry grin>.

Jeff
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA  92517
voice: (909) 778-9980  *  fax: (702) 548-9484

References:
- Re: [cobalt-users] URGENT: Cannot su - while being admin
  - From: flash22

Prev by Date: [cobalt-users] Turn off IMAP?
Next by Date: Re: [cobalt-users] RaQ4 - dmesg
Previous by thread: Re: [cobalt-users] URGENT: Cannot su - while being admin
Next by thread: Re[2]: [cobalt-users] URGENT: Cannot su - while being admin

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index