[GRLUG] Distro's - was GRLUG test comment

Raymond McLaughlin driveray at ameritech.net
Fri May 5 01:28:53 EDT 2006 

Tim Schmidt wrote:

>  There's such a thing as
> simplification for clarity (such as naming the user admin rather than
> a more typical name and attempting to explain that they function as a
> local administrator).

I know, I just couldn't pass it up.


> As far as breaking admin's account, sure.  It's no worse than a
> seperate root account with a password in that respect.
> 
>> > If no one is actually named 'admin', guessing which user to brute force on a
>> > basic Ubuntu system is simple. If you "ls -n /home" and go for the user with the
>> > lowest uid you'd probably guess right.
> 
> Good call.
> 

If you really wanted to you could "randomize" your uids, but before you bother 
doing something like this you should consider things like physical security. 
[Physical access + a bootable CD = all over ] unless you have password protected 
bios and a locked case, etc.

> One less password to guess, one less possible vector.

Um, I'd say -1 vector for loosing root password and +1 vector for adding a user 
who can sudo anything at will. Looks sum zero to me.

>> So it seems to me that a scheme that allows any given user the power to sudo
>> *anything* is more about cultivating prudent habits than security per se.
> 
> Hmmm...  Ubuntu allows one user to sudo anything.  So I'm not sure
> where you got the any given user part...

You are right, my wording was poor there. I meant "... any one particular user..."

> However, cultivating prudent
> habits is 9/10 of the battle.  It's much easier to discourage use of
> the root account if it's completely disabled.

Good point. And for some one setting up a system for someone else it might be 
prudent to create a "trusted" user account, such as a personal account for the 
installer, first. Then create one or more accounts for other people. The big 
question is "Does the user expect to admin their own machine or not?"

>> Sorry if I misunderstood your discussion.
> 
> I'm just trying to correct a few people's misconception (that sudo is
> somehow less secure than using root and su).

Ah! Certainly not *less* secure. It's arguably a bit more secure, but I'm just 
not quite convinced. It's hard to generalize when there are so many other 
factors to consider.

> --tim

Ray

More information about the grlug mailing list