Re: Why not use root all the time?


Subject: Re: Why not use root all the time?
From: James Zuelow (jamesz@ideafamilies.org)
Date: Tue Apr 30 2002 - 12:07:50 AKDT


----- Original Message -----
From: "Justin Dieters" <enderak@gci.net>

> This is good advice even if your system is set up to ask about each
file
> unless you specifically type -f.. Because sooner or later you are
going
> to change distros or be on some other system and you'll type rm *
> expecting to be asked about each file and instead it will just start
> deleting all the files willy-nilly. I learned this the hard way when
I
> switched from Mandrake to SuSE.. :)
>
> Justin
>
Another point to bring up is that it appears that both people who said
they run as root used webmail to post their comments. This means that
they are connecting to the internet as root.

You will see a lot of security advisories for various utilities that say
"this exploit runs with the permission of the user" - so if there is any
sort of problem with the web browser, irc client, ftp client, etc. that
you're running, a minor 'user' exploit turns into a root exploit
automatically.

run this : `ps aux | grep root` and you'll see your web browser, e-mail
client, etc. are all running as root (since root started them). Now
imagine that someone finds a way to pass commands to whatever web
browser you happen to be running that gives them access to the file
system (I know, you're not running Internet Explorer - just imagine for
a sec). Instead of having the access rights for Joe User, they have the
access rights of root. Bad, bad, bad. It only gets worse with stuff
like IRC clients, which have to listen on an open port in order to work.

Remember that it's not only your local users you have to worry about
when you take root out on the web. You also have to worry about finding
out exactly why that downloaded MP3 didn't play. Was it a bad download,
or was it perhaps not an MP3 at all?

Cheers,

James

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.



This archive was generated by hypermail 2a23 : Tue Apr 30 2002 - 12:08:30 AKDT