Re: theoretical question - can root's username be changed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2005-12-02 at 14:22, Mike McCarty wrote:
> Scot L. Harris wrote:
> > On Fri, 2005-12-02 at 00:17, Mike McCarty wrote:
> > 
> >>John Summerfied wrote:
> >>
> >>>Mike McCarty wrote:
> >>>
> 
> 
> [snip]
> 
> >>>The windows model is, to my mind better; where it falls down is the 
> >>>implementation.
> >>
> >>The Windows NT (and hence XP) model is superior, yes.
> >>
> > 
> > 
> > Is it?  Best practice is to use the least privilege possible to get the
> > job done.  By creating users that login with super user privileges you
> > break that best practice.  You still need a user that can admin the
> > box.  But individual users under linux or any unix like OS can be
> > granted all or some of roots capabilities via sudo or similar
> > utilities.  Users should not be encouraged to login directly as root to
> > prevent several of the problems you listed above.  By logging in as a
> > normal user and then using su or sudo an audit trail is left so things
> > can be tracked down if needed and traced to a particular users account. 
> > Logging in directly as root leaves it open as to which user did
> > something on the system.
> 
> Nothing you said disagrees with what I wrote.
> 
> > Windows suffers because by default most users have admin or super user
> > capabilities.  This in turn becomes the conduit that so many of the
> > viruses use to gain complete control of the system.
> 
> Eh? Not on any machine I administer, they don't.
> 

Which is as it should be.  But then you are a good administrator.  :)
I doubt you will find that many users, other than at your site, that
don't have full admin capabilities on their standard user account.  And
most likely they never login as administrator because they have no need
to.  This allows them to blindly install software by just clicking on
it.

Under linux you can use sudo to allow a user to execute specific things
with elevated privileges when needed.  In most cases that is not even
required.  But it does allow you to grant new admins limited
capabilities until they learn the ropes and you learn to trust them. 
This can be done on a command by command basis.

> > If they used the least privilege rule viruses would not be as easy to
> > spread since they would not run with super user like privileges in most
> > cases.
> > 
> > Both systems can be run securely by using best practices.  Unfortunately
> > most windows systems by default do not use such practices.  And many new
> > linux users use root as their day to day login instead of setting up a
> > normal user.  In the long run that will come back to bite them.
> 
> ANY security system can be abused.

No argument with that statement.  :)


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux