Re: make world and setuid bits
From: Crist J. Clark (cjc@FreeBSD.ORG)
Date: 03/29/02
- Next message: Jason Stone: "Re: make world and setuid bits"
- Previous message: Crist J. Clark: "Re: make world and setuid bits"
- In reply to: Garrett Wollman: "Re: make world and setuid bits"
- Next in thread: Jason Stone: "Re: make world and setuid bits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 28 Mar 2002 20:40:53 -0800 From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: Garrett Wollman <wollman@lcs.mit.edu>
On Thu, Mar 28, 2002 at 09:55:52PM -0500, Garrett Wollman wrote:
> <<On Thu, 28 Mar 2002 17:43:04 -0800, "Crist J. Clark" <cjc@FreeBSD.ORG> said:
>
> > Some sites may use this policy, but I would never like it. It requires
> > direct logins as root.
>
> It may make some sense in limited circumstances. For example, my
> Kerberos KDC has only one interactive user (root), does not support
> network login (duh!), and is locked in a box in one of my machine
> rooms. *Any* escalation of privilege on that machine represents a
> serious security problem.
Again, personally, if more than one user has access to the machine, I
prefer to have people individual accounts and su(1) to root for the
sake of an audit trail (Obviously, people who have root and physical
access can almost certinly tamper with the logs, but it is still
useful). YMMV.
-- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Next message: Jason Stone: "Re: make world and setuid bits"
- Previous message: Crist J. Clark: "Re: make world and setuid bits"
- In reply to: Garrett Wollman: "Re: make world and setuid bits"
- Next in thread: Jason Stone: "Re: make world and setuid bits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
