[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Login as root/su/sudo?
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Login as root/su/sudo?
- From: "Nikolai N. Fetissov" <nickf_(_at_)_peachisland_(_dot_)_com>
- Date: Tue, 8 Jun 2004 00:56:10 -0400 (EDT)
Enforced su/sudo (no direct root) do slow down an intruder
and do offer some marginal protection against mistypes,
but the main advantage here is _accountability_. Of course
sudo rm -rf /var/log/* is possible, but that's where remote
logging comes helpful.
nickf3, my $0.03
On Mon, 7 Jun 2004, Adam ...:
> On Mon, Jun 07, 2004 at 07:01:28PM -0400, Adam Skutt wrote:
> > Adam wrote:
> > >
> > >Except that it also helps prevent you from accidently breaking your
> > >system. I find people who log in as root end up doing something like rm
> > >-r * to clean up some random thing they were doing, but oops, they were
> > >in /, not /root like they thought.
> > It only prevents you from doing dumb stuff like this if you actually
> > setup sudo to prevent you from running rm in certain directories.
> > That would pretty much kill its usefulness. At best, you give it a list
> > of directories you want it to avoid, but that can still be beaten using
> > "../../*" or smiliar.
> > -- Adam Skutt
> No, you see all the stupid output files I used to do random_task_x can
> be created, written and owned by a regular user. So you don't run sudo
> rm -r, you just run rm -r.