Re: dangerous to leave root logged in?

From: HansF (News.Hans_at_telus.net)
Date: 03/29/05 

Date: Tue, 29 Mar 2005 04:57:19 GMT

On Mon, 28 Mar 2005 11:42:37 -0800, hans_schulze98 wrote:

> Is it a problem to leave root logged in at all times?

It might not be a problem. Following leaves technical issues aside ...

It is about the same level of thought process as leaving your bank account
number on a table in the office lunch room. For some people, that would
be quite acceptable.

I'd recommend spending a minimum amount of time reading Bob Toxen's "Real
World Linux Security" for some discussions about where and why security
issues can happen. (http://www.realworldlinuxsecurity.com/)

In addition, reading through any professional security documentation
quickly indicates that a large portion of security breaches are internal
to an organization. (Like giving the kids your credit card.) If that's
OK in the environment, then there really should be no problem leaving root
logged in at all times. Just need to ask yourself whether the person
responsible for the decision is also responsible, and can be held
accountable for, a security breach when the door has been left this wide
open.

On the other hand, if the system is anywhere near a Sarb-Ox environment,
you might run into a legal issue and open the company to a significant
potential for fines and other legal hassles. For further details, just ask
your corporate auditor.

And, if this is in a business environment, you might not even have a
choice about this as company policy might have already decided it for you
-in which case your corporate lawyer[s] or HR people would be the people
to answer the question.

/Hans

Relevant Pages

  • Its not personal (Was: Re: APACHE$PRIVILEDGED)
    ... As it is a very useful example of UWSS ... Some background on security and privileged application code... ... With OpenVMS constructs including device drivers (or drivers an ... environment -- most anything. ...
    (comp.os.vms)
  • Re: APACHE$PRIVILEDGED
    ... The primary security on OpenVMS and on most other multi-processing operating systems is implemented via the memory management system and via what VAX calls the change-mode routines, via the Alpha SRM PALcode change-mode equivalent, or via what the IA-32 and IA-32e architectures refer to as the call gate. ... With OpenVMS constructs including device drivers )and user-written system services (UWSS; also known as privileged shareable images), these constructs operate in inner processor modes. ... One of the more hazardous situations for system security is a mixed environment; where there are resources shared between trusted and untrusted environments. ... Not only will the operation that requires privileges now be permitted, but other and potentially unintended operations can also be permitted. ...
    (comp.os.vms)
  • RE: IDSIPS that can handle one Gig
    ... the need for IPS ... I hear this every now and then from security people, ... I have yet to see an environment (and I am a consultant so I see ... single Microsoft Windows patch. ...
    (Focus-IDS)
  • RE: Port to z/OS or OMVS?
    ... I must disagree that the z/OS UNIX environment only offers a subset. ... > park when it comes to security. ...
    (bit.listserv.ibm-main)
  • Re: Privilege-escalation attacks on NT-based Windows are unfixable
    ... >>> a well secured network. ... >> So you're basically saying that local privilege escalation doesn't ... > environment, this weakness is well behind other, like user writing down ... > security facilities ...
    (comp.security.misc)