Announcing Fedora 11 Alpha (blink)

John Summerfield debian at herakles.homelinux.org
Tue Feb 10 23:06:28 UTC 2009 

Rahul Sundaram wrote:
> John Summerfield wrote:
>> Rahul Sundaram wrote:
>>> John Summerfield wrote:
>>>>
>>>> Finally, when all is said and done, security is _my_ problem. 
>>>
>>> Depends. People usually crack a system and then use it as a gateway 
>>> to crack other systems. Then it becomes more of a global issue.
>>
>> I neglected to mention, I've seen some cracked Linux system. The 
>> presence of X or equivalent (were it present) was completely irrelevant. 
> 
> In general, it is a good security principle to only install what is 
> necessary but I was replying to your point about GDM disabling root 
> access by default.  It does make a pretty big difference if your system 
> is running as root all the time or if you are using your system with 
> elevated privileges when not necessary.
> 
> http://www.bress.net/blog/archives/133-Security-Week-in-Review-2009-02-01.html 

I already knew it was something like that.

I still say a vendor's disabling root login by default is particularly 
stupid.

Yesterday I did an interactive install of RHEL5-clone. There was no 
opportunity to create a user account.

If this was a standard RH setup, I would have an installed RHEL system 
with only GUI tools to configure stuff and no obvious ability to login 
and do it.

I administer a small network of Windows computers.

We have no AV software.

Our users are students. Yesterday, a prospective student's mother missed 
an appointment with our principal because her child was suspended from 
the current school. "That's our kind of student," the principal chortled 
when he told us about the incident. Many of students are well known to 
the local police and courts, and sometimes they take a break from school 
to spend some time in a more rigorous institution. Some delight in 
viewing parts of the Internet we are obliged by law to prevent them from 
seeing, and are well-versed in ways around school security.

Despite their proclivities, in the several years I've been looking after 
these computers, I have yet to see an infection of any kind of malware.

We do have a fairly serious lockdown using group policy and a stringent 
firewall.

I understand the need for security, and Windows XP, even with SP2 
installed is a bad joke, but so is making administrative logins difficult.

For those who don't know, a standard XP Professional SP install
1. Does not provide a chance to set a password for Administrator
2. Requires one to create at least one user account, one of which must 
be an administrator. I don't recall that one can set a password, but I'd 
have to do another install to be sure.

Odds are good that's how most people use their computers, so 80% or so 
is not surprising.

Linux installations requiring user accounts is sensible (except in a 
corporate environment, where accounts are managed globally). Requiring a 
  password for the administrator's account is sensible, in any 
environment. Disabling root is sensible.

OTOH vendors setting client's security rules is not sensible. I would 
prefer enabling root logins if the root account is enabled. By all 
means, give root a one-page summary on first login about why it's a bad 
idea. I like SUSE's red (danger lurks here) background decorated with bombs!

Advising users to not login as root is sensible, and so is giving them a 
choice at install time.

-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

More information about the test mailing list