[GRLUG] Distro's - was GRLUG test comment

Ron Lauzon rlauzon at gmail.com
Thu May 4 19:03:17 EDT 2006


Tim Schmidt wrote:
> _A_ normal user.  As in one.  The first one setup on the system. 
> Which is, presumably, you.  Since you installed the OS.
>   
So, we now have a normal user that is allowed to run commands a root 
without verification that he can do so.
> No it can't.  It must supply your password to do so, which is one-way
> hashed on your drive.
Ya, so?  All that supplying my password proves is that I am me.  That's 
it.  It doesn't prove that I should be running things as root.

> The secret is the user's password.
>   
Insufficient, IMO.

> It checks your password, and the sudoers file.
>   
And since the user has all the power of root, he can change the sudoers 
file.  Not much security there either.

On my Mandriva system, the install sets up root and asks for the root 
password.  Then it asks me to set up a "normal" user - this is what I 
log in as to do my normal things.  When I need the power of root, I must 
supply the root password, proving that I should be doing those things as 
root.

On Ubuntu, the install doesn't install a root password, but asks me to 
set up a "normal" user.  It then proceeds to give this "normal" user all 
the access of root, with only the minor speed bump of having to enter 
the user's password as "security".  In my professional opinion, this 
isn't secure and wouldn't be permitted on any corporate system.  Home 
system, maybe, but not anything more than that.

Think of a non-computer savvy user.  He runs a neat "utility" that he 
just downloaded.  He's used to getting popups that ask for his password 
from other programs.  This "utility" does that too.  But this "utility" 
it a trojan that proceeds to infect his system with some sort of malware.

So, to secure the system, we have to create yet another user.  One that 
can't sudo (or may be able to sudo only certain commands), leaving the 
first user ID set up to be, in effect, root.
Or, set up the root password and remove the first user from the sudoers 
list.

Either way, we end up with the same configuration as my Mandriva system 
- but instead of getting it automatically, I had to think about it and 
configure it myself.

-- 
Ron Lauzon - rlauzon at acm dot org
   Homepage: http://7lauzon.home.comcast.net/
   Weblog: http://ronsapartment.blogspot.com/

   DNRC: Lord of All Things That Are Fattening

   "To be sure, conservative radio talk show hosts have a built-in
   audience unavailable to liberals: People driving cars to some
   sort of job." - Ann Coulter

Microsoft Free since July 06, 2001
Running Mandriva Linux 2005LE



More information about the grlug mailing list