[ale] Linux Distributions

Jason Day jasonday at worldnet.att.net
Tue May 17 17:18:01 EDT 2005 

On Tue, May 17, 2005 at 04:09:11PM -0400, Jim Popovitch wrote:
> On Tue, 2005-05-17 at 15:10 -0400, Jason Day wrote:
> > This argument may apply to an isolated computer, but it falls flat when
> > you consider a computer that is connected to the internet on, say, a DSL
> > or cable modem.  If you always run as root, and your account gets
> > compromised, then your entire system is owned, a potential zombie or
> > spam relay, and a platform for launching new attacks.  If you normally
> > run as a normal user, and your account is compromised, then the
> > potential for damage *to others* is much less, because the compromised
> > user account cannot do everything that root can do.
> 
> Your examples (spam relay, zombie) don't require root, what do you think
> needs root to launch an attack?    Again, these are 20 year old
> arguments that apply to servers (for hacking websites, dns, email) that
> have zero bearing on desktop PCs. 

A spam relay daemon cannot bind to port 25 unless it is started as root.
That makes it less useful, since clients must be reconfigured to use a
nonstandard port.

While it is certainly possible to run a remote-control daemon as
non-root, it won't be able to hide itself and can be trivially detected
and killed.  A remote-control program that is installed and run as root
as part of a trojan or other malicious program however can also replace
system files like netstat and ps, or even install kernel modules, to
avoid detection.

As I said before, a linux box connected to the internet with an
always-on connection like DSL or cable, is, for all intents and
purposes, a server.  The fact that these arguments are 20 years old
lends them more credibility, not less.

> 
> > I suppose, from a purely selfish point of view, it makes no difference.
> > Unless you're held accountable for actions an attacker takes using your
> > compromised computer.
> 
> That assumes that you can come up with something malicious that needs
> root rather than a non-root account.  What action does an attacker need
> root for that I could be held accountable (presumably to others) for?

See above.  Running as non-root doesn't eliminate risk, it just reduces
it.

> > It's really not that big a deal to add your user account to the dvd,
> > video, audio, games, etc. groups.
> 
> BINGO.  That was my original entry into this thread.  I can configure a
> thousand things (thereby giving my user account god-like access) or I
> can just "useradd jimpop -u 0".  There really isn't much difference on a
> desktop single-user PC/laptop.

Adding your user account to the audio, video, dvd, and games groups is
hardly equivalent to giving it god-like access.

> > > > there's no rationale for running as root.  
> > > 
> > > Sure there is.  You may not see it however.
> > 
> > It's the same old argument that always comes up: security vs.
> > convenience.  Like many things, it's more convenient to run as root, but
> > less secure.
> 
> HOW IS IT LESS SECURE???  Less secure for who?  The User?  LOL!  Running
> as a user is just as insecure for that user.  

I thought I made it pretty clear that it's less secure for everyone
else, not necessarily for the user.  Jerry made an excellent point with
his DUI analogy.

> > The first requires an extra step.  If a trojan script has "mkfs
> > /dev/hda8" in it, and you execute it as root, you just lost your
> > filesystem.  If you execute it as a normal user you're safe.  That is,
> > admittedly, a contrived example, but the principle still holds.
> 
> First off, it is too easy to have a malicious virus try both ways (mkfs
> vs sudo mkfs).  In fact, I bet it can be done in a one line perl script
> to format all available partitions.  HOWEVER, the other argument being
> given is that running as root allows a zombies to magically infect your
> machine.  Isn't mkfs the best thing for a zombie infected machine? :-) 

I was only trying to make a point, and I even specifically said it was a
contrived example.  The point I was trying to make, apparently
unsuccessfully, was that requiring the user to become root first before
executing dangerous commands like "mkfs /dev/hda8" adds a small layer of
security.  A simple script that tries to execute a privileged command
will fail if run by a normal user.

And I never said "running as root allows a zombies to magically infect
your machine."  Maybe I wasn't clear enough in my original post, but
surely even you can admit that accidentally executing a trojan as root
is worse than executing it as a non-root user?

Jason
-- 
Jason Day                                       jasonday at
http://jasonday.home.att.net                    worldnet dot att dot net
 
"Of course I'm paranoid, everyone is trying to kill me."
    -- Weyoun-6, Star Trek: Deep Space 9

More information about the Ale mailing list