On Tue, 2004-07-27 at 23:51, Fritz Whittington wrote: > On or about 2004-07-27 20:48, Jeff Vian whipped out a trusty #2 pencil > and scribbled: > > >On Tue, 2004-07-27 at 13:54, Craig White wrote: > > > > > >>On Tue, 2004-07-27 at 11:15, Fritz Whittington wrote: > >> > >> > >>>*Mail read with Mozilla on a Windows machine from a POP3 server doesn't > >>>have root's privileges either!* > >>>(And yes, you can do anything in vi that you might want to do in emacs, > >>>so let's just ship *one* editor with the system and force everyone to do > >>>it *that* way, just because! OK with you? I thought not.) Of course, > >>>I guess I could set up the foo alias and then read foo's mail with > >>>Mozilla on a Windows machine from a POP3 server. Can you prove that to > >>>be even a tiny bit more secure? > >>> > >>> > >>--- > >> > >> > > > >MUCH more secure, since the user foo would not have root privledges. If > >that account is cracked they still are restricted on privileges. If the > >root account is cracked all bets are off. > > > >Pop3 and imap protocols pass user name and password in plain text when > >logging in. > > > >The issue is not the privileges of the mail client but the security of > >the accounts when using plain text to log in and the possible privileges > >when logging in to those accounts if someone gains access by obtaining > >the password. > > > > > > > >>that isn't the point though. If root can retrieve email from his account > >>- be it local or remote is the issue. You are differentiating a system > >>that doesn't differentiate. Restricting root's access locally would > >>require something like hosts.allow/deny or iptables, both of which is > >>beyond the safeguards of dovecot or whichever pop/imap daemon you > >>employ. > >> > >>Proving that accessing mail from account foo or account root via POP3 > >>remotely is inherently more secure is not relevant. > >> > >> > >> > > > >The security issue with reading mail as root via pop3 or imap is the > >password. With these clients the password/username is passed in plain > >text and for security that is not acceptable as root. > > > > > > > Not true for the pop3s and imaps versions. > exactly, which is why I listed the ones I did. > >Sniffers to read plain text from the network are common. > > > > > Perhaps you have not read all the previous postings carefully. A > sniffer that could read anything off of the 2-foot long patch cords that > connect my Linux and Windows boxes to the LAN switch would be uncommon > indeed. Anyone who could install such a thing could much more easily > re-boot my Linux in single-user mode and do whatever he wished, since he > would have to break into my house to do either of those. > True, but this discussion had gotten pretty general, and who knows what devices may be listening along the routes taken to get places on the internet. > It's not that I don't believe in taking security measures, but that they > should be appropriate to the circumstances. I don't run to the bank > every night to put my Bic ball-point pens in the safety-deposit box > until the next morning. > And why not? :-) Seriously though, If you are confident in the security of your systems you can adjust privileges to whatever you want. Most of us on this list are concerned with security that will survive more than a few minutes in the hostile environment known as the internet. We build habits and make recommendations that will survive in the worst case conditions. I think most of the suggestions you have seen have been focused there and as such may be way more than you apparently need. One additional thing to keep in mind is habits. If you are teaching your users that security is not necessary (or minimal) then when they get to the real world they will be terribly ill prepared, and will have very lax habits related to security. That may be doing them a disservice. The reason I refuse to run any M$ product is exactly that. Security is an after thought with them (user friendliness is first priority) and as such is non-existent in the OS.