Re: dangerous to leave root logged in?

From: prg (rdgentry1_at_cablelynx.com)
Date: 03/30/05 

Date: 29 Mar 2005 21:11:39 -0800

Julia Thorne wrote:
> On Mon, 28 Mar 2005 15:28:43 -0800, Keith Keller wrote:
>
> > The basis of the advice is to minimize the chance that,
intentionally
> > or by accident, a dangerous command can be used by root. If all of
> > your root-authorized users are perfect all of the time, then
there's
> > probably no problem with leaving a root shell available at all
times.
>
> Oh come on. You guys are getting desperate now. You can't provide
> a concrete, *technical* answer to his question, he won't accept
> your religious *nix dogma, and you're grasping at straws now.
>
> Hmm. Users will make mistakes if they use a root shell that's
> already open, but they won't make those mistakes if they have to
> login first. No, sorry... it just doesn't make sense.
>
> Keeping root logged OUT most of the time seems like safe conservative
> advice, since it probably won't do any harm. But if there's a
> *technical* risk (not a personnel risk) in having a root shell open
> from one console, while another user is logged into another console,
> what IS it, exactly? If the root shell is a security hole when it's
> been open for an hour, isn't it a security hole during the 30 seconds
> that you'd have it open? If somebody on the LAN knows of a security
> vulnerability of open root logins, won't he have a script or program
> that watches for that root login and exploits it the instant that
> it appears?
>
> So... what IS that vulnerability? I wouldn't be surpised to hear
> that there is one (I'd be surprised if there isn't), but what IS
> that vulnerability? This question comes up frequently, and nobody
> ever has an informed, useful answer- just insults for the questioner,
> and advice like "If you weren't stupid, you'd use <insert name of
> software here>", "You post to Usenet with a Windoze program, so
> you shouldn't be allowed to ask questions about Linux!"... as if
> people should post to Usenet using the company SERVER, instead of
> their desktop machine.
>
> ***
> Most of the opinions preached here, regarding how things should
> be done, seem to be based on corporate experience in situations
> where anybody and his dog could wander in & out of the machine
> room unwatched and unsupervised. Those experiences don't prove
> that root access is bad; they prove that you should have locked
> the door to your office. Or that the boss should stop giving
> group tours of the IT department to all visitors. ;-)
>
> I can't believe how many of you suggest remote "secure" login as
> a solution to the problem. How could anybody possibly believe
> that remote root login is safer than console-only root login??
>
> Maybe my viewpoint on "secure remote access" is different because:
> A: I don't use a Linux GUI.
> B: I don't work in a corporate IT environment, "helped" by the
> half-trained chimpanzees that serve as IT employees nowdays.
> C: I run Web/Mail/FTP servers, where those chimpanzees (when
> they go home for the night) spend all their time banging on
> my Web server with bananas, trying to hack in.
>
> Wait... I wandered off the thread topic... Oh, yeah: what is the
> danger of an open root shell login being exploited by another
> user on the network?

http://www.google.com/search?&as_qdr=m6&q=linux+bash+vulnerabilities+fedora&as_qdr=m6
Results 1 - 50 of about 6,080 English pages over the past 6 months for
linux bash vulnerabilities fedora.

Just one distro. Enough said?

prg

Relevant Pages

  • Re: dangerous to leave root logged in?
    ... a dangerous command can be used by root. ... > probably no problem with leaving a root shell available at all times. ... that remote root login is safer than console-only root login?? ...
    (comp.os.linux.security)
  • Re: dangerous to leave root logged in?
    ... >> xterms open, one of which is a root shell, he might accidentally get the ... > and the number of times I have executed commands as root when I meant to ... Vulnerability ?: How about one program becomes vulnerable and there are ...
    (comp.os.linux.security)
  • RE: OpenSSH_3.8.1p1 PermitRootLogin with bastille
    ... "PermitRootLogin no" means one can't DIRECTLY login as "root" to any ... ttys excluding Console and ttys at console. ... If root login is tried after logging in as someone, ... configuring manually the bastille, root is able to login with ssh. ...
    (SSH)
  • Re: "Bugbear" virus in Linux?
    ... >> I am one of several Unix admins in a relatively large corporation. ... > root login shell running if it is legitimate or not. ... Given your description of sudo, I'd like to hear what additional risk there ...
    (comp.os.linux.misc)
  • Re: "Bugbear" virus in Linux?
    ... > single one of our boxes allows root logins. ... None of them allow remote root logins. ... root login shell running if it is legitimate or not. ... Single user mode is never needed. ...
    (comp.os.linux.misc)