[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

This yet again shows how one persons perception is not always another's
reality.  I do use email/telent/passwords/etc but how do you know I use
them insecurely?  I use telnet all the time, either on controlled
networks or over a VPN.  In either case it in normal and acceptable to
use telnet in some of these arenas it may even be prohibited to use ssh
due to corp/govt polices.  Your assumptions that I would telnet into a
trusted host across a public network is just plain insulting.  Woe to
you for having so narrow a perception about how I use tools/apps.  ;-)

> Meanwhile, another user with the same setup but running as an
> unprivileged user has made it one step harder for the complete system
> to be compromised. Chances are better that a keylogger or a module to
> intercept data before it is encrypted is harder to install.

That is just not true.  If you as a user can run applications that
interpret keystrokes, so can some viral keylogger.  There is nothing
root or non-root specific about it.  

>  Is it impossible? No. Is it at least a little bit harder? Yes.

How is it a bit harder?  An extra step?  Security through obscurity... 

> Which machine
> do you think the attacker would focus on? (Assuming he has already
> been able to determine what the users privilege level is.)

This part of your argument is lost due to not being convincing that an
attacker could get this far.  If the attacker could get this far
(captured keystrokes/passwords) then they have what they need, and all
that can be done with out the user even running as root.

> Now, let's turn the question around. Can you tell me why a user that
> only needs to read email, surf the web, and ssh/*shudder*telnet into
> other systems needs to run as a super user or be in the super user
> group? Dare I say that there isn't a single valid reason? I think that
> I do.

   burn dvds
   use /dev/ttySO
   mount additional tmp space
   add users (a friend might need temp access)
   config iptables/network/tunnels
   load/unload usb/vmware/vpn modules    
   bring up a VPN

All of the above CAN be done by a user through a 1000 hoops and loops,
but in my opinion the risk is greater in the 1000 config/sudo/setuid
changes than to just know what you are doing and run as root.  YMMV.
   
-Jim P.


</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00540" href="msg00540.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> james.sumners at gmail.com (James Sumners)</li></ul></li>
<li><strong><a name="00541" href="msg00541.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> jasonday at worldnet.att.net (Jason Day)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00313" href="msg00313.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> meson3902 at gmail.com (Mark Schill)</li></ul></li>
<li><strong><a name="00350" href="msg00350.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> groups at ChangingLINKS.com (ChangingLINKS.com)</li></ul></li>
<li><strong><a name="00351" href="msg00351.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> Robert.L.Harris at rdlg.net (Robert L. Harris)</li></ul></li>
<li><strong><a name="00359" href="msg00359.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> jimpop at yahoo.com (Jim Popovitch)</li></ul></li>
<li><strong><a name="00361" href="msg00361.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> kafka at antichri.st (George Carless)</li></ul></li>
<li><strong><a name="00368" href="msg00368.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> jimpop at yahoo.com (Jim Popovitch)</li></ul></li>
<li><strong><a name="00466" href="msg00466.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> fd0man at gmail.com (Michael B. Trausch)</li></ul></li>
<li><strong><a name="00475" href="msg00475.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> jimpop at yahoo.com (Jim Popovitch)</li></ul></li>
<li><strong><a name="00491" href="msg00491.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> kafka at antichri.st (George Carless)</li></ul></li>
<li><strong><a name="00498" href="msg00498.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> jimpop at yahoo.com (Jim Popovitch)</li></ul></li>
<li><strong><a name="00503" href="msg00503.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> james.sumners at gmail.com (James Sumners)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00517.html">[ale] Linux Distributions</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00519.html">[ale] Linux Distributions</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00503.html">[ale] Linux Distributions</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00540.html">[ale] Linux Distributions</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00518"><strong>Date</strong></a></li>
<li><a href="threads.html#00518"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>