Linked by Thom Holwerda on Tue 28th Feb 2012 23:11 UTC
Linus Torvalds on requiring the root password for mundane tasks. "So here's a plea: if you have anything to do with security in a distro, and think that my kids (replace 'my kids' with 'sales people on the road' if you think your main customers are businesses) need to have the root password to access some wireless network, or to be able to print out a paper, or to change the date-and-time settings, please just kill yourself now. The world will be a better place." Yes, it's harsh (deal with it, Finns don't beat around the bush), but he's completely and utterly right. While there's cases where it makes sense to disable certain settings (public terminals, for instance), it is utterly idiotic that regular home users have to type in their root password for such mundane tasks.
Thread beginning with comment 508996
To view parent comment, click here.
To read all comments associated with this story, please click here.
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: The opposite is also true...
by Nico57 on Wed 29th Feb 2012 20:02
in reply to "RE[2]: The opposite is also true..."
Member since:2006-12-18
RE[3]: The opposite is also true...
by bert64 on Wed 29th Feb 2012 20:12
in reply to "RE[2]: The opposite is also true..."
Member since:2007-04-23
Which is why authentication via SSH keys is a good idea...
Now brute force attempts will be ineffective, and you also have two factors required in order to gain elevated privileges so even if someone steals your privatekey they still need to do extra work (and thus increase the risk of detection) in order to get root.
RE[3]: The opposite is also true...
by Soulbender on Thu 1st Mar 2012 03:33
in reply to "RE[2]: The opposite is also true..."
Member since:2005-08-18
However, for servers, you should never use sudo.
No, it's great for servers and should always be used since it enables better permission control and audit trails.
Most servers have servers such as openssh and mail running.
That's why you don't use password authentication with ssh. If you need people to use sftp with passwords you always use chroot and force the accounts to be sftponly.
Most servers do not have mail running and for those that do the email username and password are more often than not different from the system users and passwords.
Hopefully this extra time will make it possible for someone to notice the attack.
If they didn't already catch the brute force on the account I doubt they'll catch the brute force on root.
Full sudo rights on a server == full root for everyone on the internet courtesy of botnets.
100% wrong.
RE[4]: The opposite is also true...
by laffer1 on Thu 1st Mar 2012 14:06
in reply to "RE[3]: The opposite is also true..."
Member since:2007-11-09
Most people setup sudo to gain full access, not to run select programs. Of course it's capable of that, but it's rarely used in the wild. Most linux distros ship with it enabled like a root account.
I've seen people enable sshd on root accounts without using a key. Then they got owned. Everyday I see brute force attempts against root on my server. It's ignorant because BSD defaults to root disabled. They also had sudo turned on.
Like any tool, sudo can be used correctly but unfortunately people don't use it this way. Just because you setup your server competently doesn't mean it's common.
As for mail servers, I wasn't talking enterprise here. No LDAP. I'm thinking web hosting, virtual private servers and small shops. Anyone using sendmail + an imap server is probably using system accounts. That's default. Some of those accounts probably have shell access, especially in a hosting scenario. You don't have to agree with me, but I've seen it. I used to work for hosting companies.
Features
Linked by Thom Holwerda on 06/13/13 14:35 UTC
The third and final WWDC product I want to talk about is - of course - OS X 10.9 Mavericks. While iOS 7 was clearly the focus of this year's WWDC, its venerable desktop counterpart certainly wasn't left behind. Apple announced OS X 10.9 Mavericks, the first OS X release not to carry the name of a big cat.
Linked by Thom Holwerda on 06/11/13 17:07 UTC
We already talked about iOS 7 yesterday (after a night of sleep, it's only looking worse and worse - look at this, for Fiona's sake!), so now it's time to talk about the downright stunning and belly flutters-inducing new Mac Pro. As former owner and huge, huge, huge fan of the PowerMac G4 Cube - I haven't been this excited about an Apple product since, well, I would say the iMac G4. This is the Apple I used to love.
Linked by Thom Holwerda on 06/10/13 23:13 UTC
Apple held its big keynote event thing at WWDC earlier this evening, but since I was away with friends I've had to read up on it later in the evening. The company announced iOS 7, OS X 10.9 Mavericks, and they gave a preview of the new Mac Pro. Especially the Mac Pro impressed me, and while iOS 7's new Holo/Metro-inspired theme looks messy and garish to me, I do commend Apple for finally breaking the mold. This news item will focus on iOS 7 - I'll dive into the Mac Pro and OS X 10.9 tomorrow (it's late here now).
Linked by Thom Holwerda on 06/08/13 14:57 UTC
And yes, the PRISM scandal is far, far from over. More and more information keeps leaking out, and the more gets out, the worse it gets. The companies involved have sent out official statements - often by mouth of their CEOs - and what's interesting is that not only are these official statements eerily similar to each other, using the same terms clearly designed by lawyers, they also directly contradict new reports from The New York Times. So, who is lying?
Linked by Thom Holwerda on 06/07/13 11:40 UTC
This story is getting bigger and bigger. Even though most Americans probably already knew, it is now official: the United States government, through its National Security Agency, is collecting the communications and data of all American citizens, and of non-Americans using American services, through a wide collaboration with the large companies in technology, like Apple, Google, Microsoft, Facebook, and so on. Interestingly enough, the NSA itself, as well as the US government, have repeatedly and firmly denied this massive spying on Americans and non-Americans took place at all.
Linked by Thom Holwerda on 06/04/13 12:45 UTC
Ah, patents - the never-ending scourge of the technology industry. Whether wielded by companies who don't actually make any products, or large corporations who abuse them because they can't compete in the market place or because they're simply jerks, they do the industry a huge disservice and are simply plain dangerous. According to The Wall Street Journal (circumvention link), president Obama is about to take several executive actions to address patent trolls - which may seem like a good idea, but I am very worried that all this will do is strengthen the positions of notorious patent system abusers such as Apple and Microsoft.
Linked by nfeske on 05/31/13 10:12 UTC
With version 13.05, the developers of the Genode OS Framework take measures to ensure that Genode continues to scale well with a growing number of users and the steadily broadening platform coverage. Further highlights are the improved SoC support for Exynos 5, OMAP4, Raspberry Pi, i.MX, and new components for realizing headless systems.
Linked by Thom Holwerda on 05/29/13 16:59 UTC
At the D11 conference, Apple CEO Tim Cook once again took the stage to be interviewed by Walt Mossberg and Kara Swisher. While most of the interview can be replicated by picking and reading 10 random Apple fanblog stories - there were still a number of very interesting things that warrant some closer scrutiny.
Linked by Thom Holwerda on 05/24/13 17:26 UTC
So, the Xbox One disaster continues. Microsoft's policy for dealing with the used games market has reportedly leaked - and it's a clear and direct attack to destroy the used games market. Prices for used games will be set at the retail value of a new game, and retailers have to hook into Microsoft's computer systems and comply with Microsoft's terms and conditions.
Linked by Thom Holwerda on 05/21/13 21:38 UTC
At an event earlier today, Microsoft unveiled the next Xbox - the third model, but confusingly named Xbox One. The big focus was TV, integrated Kinect, and all the other stuff we all expected to be forced down our throats. I think it took them 25 minutes to actually come to what should be the core of the story: gaming. Nothing groundbreaking in the gaming department, except for how Microsoft intends to handle the used games market and borrowing games from friends: pay up, buddy!More Features »
Sponsored Links
Member since:
2007-11-09
This is wrong. sudo is great for desktops. However, for servers, you should never use sudo. Why? Most servers have servers such as openssh and mail running. That means someone can brute force your password remotely. If you have a root password set, then even if they get into your account, they must take the time to brute force root. Hopefully this extra time will make it possible for someone to notice the attack.
Full sudo rights on a server == full root for everyone on the internet courtesy of botnets.